Despite all the recent media coverage, many businesses are still rather confused about the new General Data Protection Regulation (GDPR) and specifically, how it will affect their business.
GDPR in a nutshell
GDPR comes into force from May 2018 and is essentially about increased control and security of the personal data you hold as a business. Many of the existing principles of the current UK Data Protection Act are being carried over into GDPR – but it is more wide-reaching, giving individuals much greater control over what happens with their personal information.
GDPR is good news for individuals
This is obviously good news for all of us as individuals. After all, who wouldn’t want greater clarity about the personal information businesses are collecting and storing – and what they are doing with it?
But it’s not all bad news for businesses
GDPR can seem a bit scary for businesses – especially with all the sensationalist headlines focusing on significant fines for breaches and non-compliance. But it’s not all bad news – by implementing a robust GDPR process in your business, you can show your customers how committed you are to their privacy and the correct handling of their personal details. Not only will your data be more secure – reducing business and reputational risk – but you’ll also be able to get much closer to your customers, improving relationships and retention.
So, how will GDPR affect my business?
Well, this depends largely on how robust your existing processes are for collecting, storing and using personal data. For example, storing it digitally can really help – making the whole GDPR process much less daunting.
To find out the likely impact of GDPR on your business, you’ll need to review your existing procedures to make sure every area of the new regulations is being covered correctly.
Here’s a good way to approach this:
- DISCOVER – First, you need to conduct a full audit of the personal data you hold, including:
- · what data you currently hold, or plan to hold in future
- · why you hold the data
- · where it is kept
- · who has access to it
- MANAGE – Next, work out how you will introduce more robust processes to control things like:
- · how the data is used, accessed and managed
- · how you will handle requests from individuals to disclose, correct or delete data
- · how to make sure data is only used for the originally-stated purpose, and not held for longer than it is needed
- PROTECT – Then, devise a set of robust security controls to prevent, detect and respond to any vulnerabilities and data breaches
- REPORT – Finally, decide how will you report any data breaches, and keep evidence of your compliance
It’s not just an IT project!
The key thing to remember is that GDPR compliance isn’t just a project for your IT team. It’s a project for the whole business, and all your key stakeholders (and all your staff) need to be on board and involved in defining and managing the process.
Here are some key areas which are likely to be impacted by GDPR:
You’ll need to adhere to stricter rules around obtaining consent from your customers. They must have the right (and the ability) to withdraw their consent, and be able to agree to certain activities and not others. This is likely to impact the way in which you manage your sales and marketing activities. Your business processes, applications and forms must comply with new double opt-in rules – and you’ll need a full audit trail and reporting mechanism so you can prove consent was given (or withdrawn) and when.
How do you currently store your personal data? Is it on paper, in digital format, or a bit of both? How do you collect the data, and who can access it? All these questions need to be answered, and the security aspects of each element need to be reviewed. Data shouldn’t be available to everyone in your business – only to those individuals who need it. And if a customer needs to update or correct the personal data you hold on them, you need to be able to action this quickly, whilst maintaining full data security.
Medium to large businesses may need to appoint a dedicated Data Protection Officer (DPO) – this is definitely the case for organisations with more than 250 employees. The DPO’s role is to ensure GDPR compliance and regularly check for any risks or threats to data security – with high priority given to storage, distribution and security of both paper and digital documents. The DPO is also responsible for reporting any data breaches without delay to the Information Commissioners Office (ICO).
Whilst senior management (and the DPO if you have one) need to make all the key decisions around GDPR compliance, it’s important to ensure all staff have a basic understanding of GDPR. They certainly need to know what it means, and the potential issues which can arise if GDPR compliance-related procedures aren’t followed correctly. This is because breaches can occur simply due to lack of awareness and understanding of the issues involved.
Data governance policies and procedures
If they already exist in your business, they will probably need to be updated to make sure they comply with the new stricter GDPR regulations. And if you don’t currently have these in place, you’ll need to create and maintain them in accordance with GDPR requirements.
Data processing arrangements
If you use an external company or 3rd parties to process your customer data, you’ll need to make sure your contracts with these data processors comply with GDPR. This applies to data collection and processing undertaken by all businesses which operate within the EU, regardless of where the data is actually processed.