Are you GDPR compliant?
Do you hold any personal data about individuals? If the answer is yes then you need to know about GDPR.
Right now, there are still some unknown details about the legislation that will be put in place, but what is known is that the new General Data Protection Regulation (GDPR) becomes law on 25 May 2018.
That means there is less than six months left to prepare for the biggest shake up of data protection law in 20 years.
There is lots of dubious advice out there at the moment, with some legal experts even advising that you need to delete all your historic records.
But that is not necessarily the case. Getting ready for GDRP is not simply about deleting old records. In fact, getting prepared for GDPR presents an opportunity to re-engage your list and build an engaged audience instead.
Oh, and GDPR is NOT only about your database systems. It goes way beyond that.
GDPR applies to all personal data in both computerised systems and manual filing systems. This includes emails, recorded phone calls, backups, files on computers and network drives…
20 years working with IT and Data
You may or may not know this, but before I became involved in sales and marketing I was a tech guy. I’m a computer science graduate and I started my career working in an information systems department.
Having worked with large scale IT systems and data for over 20 years (including implementing updates when the current Data Protection Act was introduced in the late 90s) I decided to get myself up to speed with the changes coming in GDPR.
I heard loads of clients talking about GDPR and was sick of the amount of scaremongering being used to sell unnecessary software tools and expensive compliance audits.
As the Information Commissioner, Elizabeth Denham, recently said on her blog: “Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
Elizabeth Denham added that it’s scaremongering to suggest that the Information Commissioner’s Office (ICO) be making early examples of organisations for minor infringements or that maximum fines will become the norm.
Getting up to date
I am now qualified as a certified GDPR Practitioner having successfully passed an exam based on a GCHQ training course. But, I have no intention of selling GDPR audits or compliance software.
I gained the qualification to understand how to implement necessary changes in my businesses and to help my coaching clients and mastermind members.
As I was working through how to implement GDPR into my businesses I summarised and simplified the steps that can be taken now into an actionable 7-part system.
Here are the 7 steps you can take right now to prepare for your business for GDPR which comes into force from 25 May 2018, replacing the current Data Protection Act that has been in place for 2 decades!
Note: this article is intended to be an overview and not an exhaustive list.
#1 – Awareness
Are all the key people in your organisation aware that Data Protection law is changing to the GDPR?
It is essential that your team are getting familiarised with GDPR and appreciate the impact it is likely to have on your business.
If you leave your preparations until the last minute, you may find compliance difficult to achieve.
Implementing the GDPR could have considerable resource implications and the maximum fines for organisations that fail to comply are significant (up to 20 million Euros or 4% of worldwide turnover, whichever is the greater).
#2 – Audit
Essential to making your business GDPR compliant, is having clarity on the personal data you hold. Some key things to know are:
• Where did the data came from?
• What do you use it for?
• How long do you need to keep it?
• Who do you share it with?
In addition to auditing the personal data you store, you should also check your business processes to ensure they cover all the rights individuals have, including how you would delete or restrict processing of personal data and how you would provide data electronically and in a commonly used format.
Included in a review of your processes, you should make sure you have an appropriate procedure in place to enable you to detect, report and investigate any breach of personal data.
Finally, you should audit your privacy notices and arrange for any necessary changes to be put in place ready for enforcement of GDPR.
#3 – Authorisation
In order to be compliant with GDPR, you need to identify and document your lawful basis for storing and processing personal data.
You should include your lawful basis for processing personal data in your privacy notice and also include it when responding to any request from an individual to see the data you hold (this is known as a Subject Access Request).
If your lawful basis for processing is consent from the individual then you need to review how you seek, record and manage consent and if you hold information about children then you should assess the need to put systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity.
Be aware that you may also need to refresh existing consents before 25 May 2018 if they don’t meet the GDPR standard, but…
Be careful not to breach current data protection law when asking for consent.
Earlier this year the Information Commissioner’s Office (ICO) fined Flybe £70,000 for breaking the Privacy and Electronic Communications Regulations (PECR). The airline sent an email with the subject ‘Are your details correct?’ that entered recipients into a prize draw for updating their preferences.
Honda were also recently fined £13,000 for breaching PECR for an email they sent aiming to clarify certain customers’ choices for receiving marketing. Honda failed to provide evidence that the customers had ever given consent to receive this type of email.
#4 – Assessments
Have you implemented Data Protection Impact Assessments (DPIA) in your business?
GDPR makes privacy by design an express legal requirement and DPIAs will be MANDATORY in certain circumstances.
If you undertake (or plan to undertake) any data processing that is likely to result in high risk to personal data, such as the implementation of new technology, undertaking profiling that could have a significant impact on an individual or processing large amounts of special category data, then you MUST complete a DPIA.
You should start to assess the situations where a DPIA will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
#5 – Access
Do you have a plan in place that will enable you to effectively handle subject access requests within the new timescales?
GDPR reduces the time you have to respond to a subject access request. Under current data protection law you have 40 days. Under GDPR, you must respond without undue delay and at the latest, within one month.
If there is a risk that your organisation could receive a large number of subject access requests, then how would you handle this?
You need to consider the logistical implications of having to deal with all the requests within the new timescales. You may also want to consider implementing systems that allow individuals to access their information easily online.
Note: the right to access is just one of eight rights individuals have under GDPR. The others are: the right to be informed; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision making (including profiling).
#6 – Appoint
Does your business already have a Data Protection Officer (DPO)?
If you not, then you need to consider if you need to appoint one. Note: You may be REQUIRED to have one!
Your DPO will need to have sufficient knowledge of data protection and have suitable authority and support to implement the measures need to keep your business compliant.
If have (or decide to appoint) a DPO, then where do they (or should they) sit within your organisation?
#7 – Agreements
What agreements do you have in place with other organisations that process personal data on your behalf and what changes need to be made in order to be compliant with GDPR?
Under GDPR, whenever you make use of a third-party data processor (this includes hosting / storage of personal data) you need to have a written contract in place.
The contract needs to clearly define the responsibilities and liabilities of both parties and GDPR sets out specific details that need to be included in the contract.
Standard contract clauses may be provided by the European Commission or the ICO at some point in the future. However, at the moment no standard clauses have been drafted.
If your business holds personal data, then you are liable for compliance with GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of GDPR will be met and the rights of data subjects protected.
If you currently use cloud based services you should review the contracts and security arrangements you have in place and also consider WHERE the data is stored as this may be overseas and be subject to GDPR overseas transfer requirements.
If your business operates in multiple countries or transfers data overseas FOR ANY REASON (including hosting) then you will need to consider what safeguards apply or are needed.