There’s been a lot of talk in the press recently about GDPR and how it is going to drastically alter the way that many businesses function. This is certainly true in that the changes are designed to shore up the major security issues currently surrounding data storage. This new General Data Protection Regulation is filtering through from EU law and is due to come into effect on 25th May 2018. So, if you’re not yet up to speed, it’s time to familiarise yourself and make the necessary changes.
What changes will your business need to make?
GDPR can be slightly confusing and it’s hard to work out what applies to you and what you’re not already doing. Well below are six actionable steps that you can start to put in place today. Be aware that they apply to businesses of all sizes and across all industries within the UK.
1. Start documenting
The idea behind GDPR is to increase awareness amongst business and individuals as to what information they hold and what they are doing with it. You should go through and document what data you hold for all customers, as well as how you got it and what you are doing with it. If you are sharing that data with other companies, then under GDPR you must fully update them as to any data updates or inaccuracies. Implementing these documenting systems will help you better control the flow of any data you hold.
2. Being honest with your customers
Under new GDPR you need to be fully transparent with customers on how you are collecting their data and what purposes it will be used for. Much of this information is usually included in a “Privacy Notice” and you should update this accordingly. Be sure to make all customers aware of how long you will be holding their data as well.
3. The right to be forgotten
The rights that individuals hold over their data are being extended, notably with regards to deletion of anything you hold. Customers can exercise their right to be forgotten whenever they wish, so should have systems in place for people to effectively communicate their desires with you and to allow your company to properly erase anything you hold.
4. Bring your team up to speed
You will need to be sure that everyone in your company is fully aware of all of these upcoming changes, and is able to comply on a daily basis with what it means. Any failure on their part to properly handle data can be seen as a failure on the business as a whole and is something you should act on now to avoid incurring penalties.
5. Offering consent
As a part of the increased transparency of collecting data, you need to be more upfront with customers. This means removing all auto opt-in buttons on sign up forms, and instead seeking the express permission to retrieve and hold customer data. Be aware that consent cannot be based on someone’s inactivity or silence, and instead must be unambiguous and certain.
6. Thinking about children
Anyone under the age of 16 must have the express permission of their parent or guardian for them to share their personal data. These measures are to better protect children online, especially with regards to social media. Be sure to have measures in place to verify the age of anyone consenting to share their information.
How will GDPR be monitored?
The Information Commissioner’s Office (ICO) is having its powers extended as a part of GDPR. They are the body responsible for overseeing the effective implementation of GDPR and to ensure that no breaches occur. Here are some more things to be aware of.
– The possible fines for breaking Data Protection Regulation are being extended to a maximum of £17 million, or 4% of global company revenue.
– You will be subject to randomised impact assessments to ensure your systems are secure enough to protect against hacking or data security breaches.
– If you are hacked, you will have 48 hours to notify the ICO, and 72 hours to notify anyone who is placed at immediate risk as a result of their data being compromised.
– It is recommended, and in some cases obligatory, that you allocate a Data Protection Officer. Their job should be to ensure you are complying with all regulation and to test and check systems. This is necessary if you handle a lot of customer data or if you are a public authority.