It’s confusing, it’s long, but its important and here at Diligence we are getting our heads around the impending GDPR (General Data Protection Regulation) that most companies will need to comply with in 2 months time. The document itself is huge, so to make it easier to digest and inspire you to research the topic yourself we have tried to provide a basic overview.
What is GDPR?
In short, if a company wants to offer services to customers in the EU then they must take action to protect their personal data. Meaning that all data controllers must comply with the GDPR regulations by the time the policy comes into place (25 May 2018), and it’s creeping up. If your company runs websites or apps, internal databases, CRM or any form of data storage really, then this will affect you. Does your data apply to GDPR?
If you’ve not heard of it before, GDPR is one big set of rules overseeing all of the EU member states, each state having a Supervisory Authority (SA) to make sure everyone is on a level playing field. The overarching aim being to keep people and their personal details safe, particularly online.
Data protection is no new thing, and the fundamentals of GDPR are simply ensuring transparency, so letting people know how their data is being used, by who and for how long it will be held. Easy. We also need to be telling people who they can contact if they have any queries about the data, which, can only be used for the purposes it was intended. The main issue facing businesses here, is to not only have procedures in place but also to think about the most effective way of communicating this information, clearly.
Don't forget, anyone can retract consent at any time should they wish and even request that it is erased from all record or memory so we need to be able to respond to that quickly and effectively. Do you have a procedure in place to deal with this in a timely way?
Are you GDPR compliant?
One of the first steps is to make sure your website is GDPR compliant and its probably a good idea to start with your CMS. Have a closer look at who has access to personal data coming through your website. Is it completely necessary to have as many as you do? This refers not only to direct employees but also third parties, who may need to be reminded of GDPR compliance.
You also need to think about encryption, and it seems that GDPR introduces something called pseudonymisation to help keep your data safe. With this, personal information is accessible only through a separate key, which is then used to retrieve the original data. By fitting an SSL certificate to your website, data becomes encrypted and in doing so you should be on your way to meeting GDPR guidelines. So, if there is a breach, data cannot be directly accessed, which is nice. On that note, if there is a breach, you must have a process in place to deal with it. More information on managing a security breach
If you're in the world of marketing then the idea of GDPR probably puts you on edge slightly. Yes it does mean that marketing practices could need tweaking slightly but hopefully it shouldn't be too big a jump from what you are already doing.
A key topic here is consent, in particular with the use on online forms. It must be made clear to both employees and website visitors alike that any information taken will be used solely for the purpose in which it was intended. This means that if an individual fills out a contact form they cannot be added to a mailing list, the individual must explicitly enter into any further use of their data of their own, fully informed, accord.
If you do have any concerns, have a look at this handy checklist
which should let you know if your current practices are in line with GDPR guidelines and what you can do if not.
Everyone's favourite word, Brexit. It is worth noting that when GDPR comes into play the UK will still be a part of the EU and probably more importantly, will be taking on all EU policies after the big leave. Which means that we are still very much required to comply with the GDPR rulings, unless you fancy a potential fine of 20,000,000 euros (or 4% of annual worldwide turnover). No thanks.
The big question now is how to make sure your company is GDPR compliant. Here’s 12 steps the ICO recommend you take now, in preparation for the 25th May (source: ico.org.uk
- Make sure the right people know about the change of law.
- Organise an audit, documenting any personal data held, its source and how it is shared.
- Ensure a plan is in place for making the necessary changes to any existing privacy notices.
- Check that procedures are in place to effectively manage individuals’ rights.
- Think about how you will deal with new access requests.
- Identify and document the lawful basis for your data processing activity.
- You will need to rethink how you manage consent and address any existing consent procedures that do not meet the GDPR standards.
- If you do not already, consider putting systems in place to monitor the age of individuals and ways of gaining parental consent.
- Ensure you have a process in place to deal with any security breaches.
- Get to know the ICO’s code of conduct on Privacy Impact Assessments as well as guidance relating to the GDPR from the Article 29 Working Party.
- Designate or employ data protection officers to keep on top of the new guidance.
- If your organisation works across borders then you might need to refer to the Article 29 Working Party guidelines to determine your lead data protection supervisory authority.
If you are still unsure whether you are meeting the GDPR requirements, have a look at this short checklist to give you a quick insight into how you currently comply. Hopefully it will also help you think about where you need to make some changes.
It’s important to remember that whilst GDPR is a very real and very serious regulation to get our heads around, we can only do our best and accept that we may not be able to recite every rule at the drop of a hat. It will take time to become fully compliant, so in the meantime grab a coffee and just focus on the basics.
We are not solicitors, lawyers and definitely not experts on EU law. All suggestions and advice given is our own interpretation of the GDPR regulations.