Top 10 Tips Every Business Needs to Know for Getting GDPR Ready
The General Data Protection Regulation (GDPR) has increasingly become a topical subject as the May 2018 deadline draws nearer. The GDPR is designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ data privacy, and will be the driving force encouraging organisations to reshape their approach to data privacy. In order to assist with your GDPR journey, here are 10 Top Tips for getting GDPR ready:
1. Start preparing now
Work to raise awareness with your staff across the business in order for everyone to understand what GDPR is, why it is being introduced and how it will affect the business. In all likelihood, your staff will be affected by GDPR as individual data subjects, so this will be a good opportunity to ensure your staff understand the rights.
2. Find out what data you have
The data affected is ‘personal data’ of a business’ individuals. This means any data which can be used to identify an individual, or links to identifying information, falls under the GDPR regulation. Equally important is know the location of all data within the scope of the GDPR. Bear in mind that paper copies of data (printouts, invoices etc.) are also within scope if they contact PII (personally identifiable information).
3. Get rid of data you no longer need
GDPR talks about data minimisation and this means collecting only the data that you need to carry out a function of your business, and erasing the data once it is no longer required. This also applies to data already in the possession of your business. This assist greatly in being able to address Subject Access Request (see point 10).
4. There are no geographical boundaries
If your business collects data in the EU about EU citizens then the GDPR regulation applies.
5. Know about the special requirements
Identifying and preparing for these special GDPR requirements ensures businesses are not fined up to $20 million Euros or 4% of worldwide turnover (whichever is highest) if their privacy policies are not GDPR compliant by May 2018. For example, businesses will require parental consent when processing data relating to children under 13 years of age.
6. Marketing activities will be affected by ‘Unambiguous consent’
One of the GDPR’s key rulings is the introduction of ‘unambiguous consent’ before user’s personal or behavioural (profiling) data can be used for marketing purposes. As part of initial contact with individuals, it is imperative they understand every aspect of what they are agreeing to when passing on information about themselves. Data subjects can also decide not to provide consent, or to remove consent at any time. Consent must be ‘opt-in’, as opposed to the previous widely used practice of ‘opt-out’. Any data currently held requires consent in order to be used or retained, so consent will need to be sought from existing data subjects as well. It is strongly advised to start this process immediately – test a sample group and gauge the response in order to refine the message, if required.
7. Build GDPR into your working life
By the current projections, there will be over 11 billion smart devices in the world connecting and sending out information with other smart devices by 2022. If a business regularly monitors or processes personal data on a large scale appointing an in-house Data Protection Officer (DPO), and for any business partnering with a company who is GDPR compliant in collecting and analyzing data about individuals will make the transition easier. Map out your businesses data supply chain and ensure all entities are equally protected and aware of their data processing responsibilities.
8. Update security data policies and procedures
Once internal stakeholders are aware of what GDPR is, and they have a mapped out the data used by the business to carry out its various functions, businesses can update their security data policies and procedures to reflect GDPR regulation. Typically, the departments involved in this will be legal, IT, marketing, and advertising but this depends on the type of data being processed and the size of your organisation.
9. GDPR compliance by design
GDPR is a long-term outlook for companies to regulate the data collected from customers. The Internet of Things and Big Data will continue to evolve and influence how people connect and engage with each other and their physical surroundings. Getting GDPR compliant by design from the get-go ensures your business is adequately protected.
10. Be prepared for Subject Access Requests
When an individual wants to see a copy of the information a business holds about them they will send for a Subject Access Request. The information includes whether any personal data is processed, a description of personal data and reason why it is processed and if it will be given to any other organisations or people. Additionally, a data subject can ask for their data to be erased, corrected or made available to them in a portable format.
The GDPR is a comprehensive, modern set of laws that protect the rights and freedoms of data subjects – remember that you are a data subject in this context too! Treat your data subject’s data in the same way you expect your data to be handled.