Fed Up of Hearing About GDPR?
Are you suffering from GDPR overload?
It seems like you can’t read a marketing or IT blog lately without stumbling over a reference to GDPR. Yet how many of us really understand the requirements of the regulation? And, more importantly, how many of us are acting on them?
The deadline is fast approaching: GDPR will be enforced on 25th May, 2018.
Yet, as recently as November, Computer Weekly was reporting that most UK small businesses are still in the dark about GDPR .
If you hold personal data on identifiable persons (and this will still apply after we officially leave the EU) then you need to understand that impact of GDPR.
We consider your next steps.
Get Outside Expert Help
With just three months to go until GDPR is enforced, if you haven’t already started implementing plans to ensure compliance with the regulation, it is probably time to call in expert third-party help. Especially if you are a consumer-facing organisation which holds a lot of data on the individuals you serve.
Read ICO’s Advice
The Information Commissioner’s Office (ICO) has published a great deal of advice about GDPR, its likely impact and how UK businesses and organisations can prepare, including a 12-step guide. You can read their GDPR advice here.
A Shift in Focus
The main goal of GDPR is to enable individuals to regain control of the personal data that organisations hold on them. With this in mind, the regulations stipulate a “privacy by design” approach to information management.
Depending on your existing data management policies, this may require a fairly radical rethinking about the way you collect, manage and store the personal information of your customers and contacts.
ICO suggest the “privacy by design” mantra should guide your actions; do this and you shouldn’t go far wrong.
Understand the New Definition of Personal Data
Under the guidelines, even your name can be considered personal data. These changes have been made to reflect advances in technology and possibilities they offer in tracking consumers’ behaviour.
Understand the New Consumer Rights
Individuals are granted additional rights under GDPR, these include:
1.The right to be forgotten
2.The right of access
3.The right to rectification
4.The right to erasure
5.The right to restrict processing
6.The right of data portability
7.The right to object
8.The right in relation to automated decision-making and profiling
You need to ensure you have policies and procedures in place so that you can enable any individual on whom you hold data to exercise these rights.
You must have clear consent in order to process personal data.
Under GDPR, consent should be specific, informed, unambiguous and should be given freely so that the individual can make a real choice regarding their personal data as he/she wishes.
Considerations on privacy notices should be taken in tandem with those on consent.
An individual must understand – and give consent to – the uses to which their data will be put.
As well as ensuring that you have proof of consent for each of these uses, you also need to ensure that you gain further consent before you use an individual’s data for purposes other than those for which they have expressly given consent.
This may require changes to the way you capture consent; i.e. more explicit explanations about how data will be used. It is more than likely to require changes to the way you manage consent once given.
Are You Sharing Data with Third Parties?
Another important element of GDPR focuses on how you share data. If you are sharing personal data with third party organisations, the implications of this must be considered within the other elements of GDPR.
For example: gaining consent that the data is shared; ensuring policies around the exercising of rights extend to the data held by the third parties, e.g. in terms of the right to be forgotten.
Consider Data Security
Cyber Security is a vital element of good information governance. Ensure that you put in place good cyber security practices to protect the data you hold and minimise the possibility of a data breach.
Small and medium sized businesses can get the groundwork right by undertaking a Government-backed Cyber Essentials certification. The Government says it can help prevent 80% of cyber-attacks. As we saw earlier this year, even major businesses like Carphone Warehouse can drop the ball on cyber security.
The ICO stated one of the reasons the fine levied on Carphone Warehouse was so punitive was because it failed on basic cyber security measures.
Get Post-Breach Procedures Right
GDPR introduces what to do when a data breach is detected. The new regulations state that businesses have a responsibility to notify everyone affected by the breach and the supervising authority within 72 hours.
Monitor Ongoing Procedures and Practice
Just looking at GDPR as a one-off event isn’t enough.
These new best practices around appropriate Technical Measures and appropriate Organisational Measures need to be embedded within your organisation and you need to monitor these procedures and everyday practice to ensure continued compliance.
So, whilst you may be fed up hearing or reading about GDPR, it really isn’t going to go away. Take time now to work out your plan for it, get some help to get past the myths and miracle solutions for it but above all, get started sooner rather than later!
If you’re unsure whether your organisation has done enough to satisfy the requirements of the GDPR, try our GDPR Online Readiness Assessment! This assessment features 23 questions to help you discover areas of risk you may not have considered, and is completely free! Find out today how ready you are for GDPR…
Or if you would like further help or information, please get in touch with us. Grant McGregor consultants are happy to discuss how GDPR might affect your organisation.
Contact us on 0131 603 7910 or 0808 164 4142.