The way companies are allowed to collect and store personal data is changing. By May 2018 new laws will come in to play which all companies must adhere to. The new laws are there to protect not only members of the public but companies themselves, they will also promote efficiency within internal processes.
When laws like these are due to come in it's generally the SMEs who stick their heads in the sand until the time comes, don't let that be you! Take this opportunity to work with your team and really get to grips with the types of data you handle and store and how you process it, the exercise should yield a lot of value in cataloguing existing data and inspire your team to come up with creative ways of using it.
The below checklist highlights 12 steps you can take now to prepare for the General Data Protection Regulation (GDPR), make sure you become acquainted:
The minimum would be to ensure the key decision makers within your company are aware of these rules. We'd suggest you go a step further and ensure your whole team are well versed in the changes. Send this link to all of your employees and ask for suggestions from your team on how to move forward and prepare for the changes to the law. You may spark some ingenuity within your staff. You and your team need to identify areas that could cause compliance problems under the GDPR. After mulling over the changes with your staff, speak to your law specialist about looking at your organisation’s risk register, if you have one.
Your solicitor should be able to give you an idea of the resource implications that implementing the GDPR will have on your company. If you act now, you can chunk the work out over the coming months without too much strain on your work force.
2. The Information you hold
All of the personal data your company holds needs to be documented. You need to add:
- Where it came from
- Who you shared it with
You need to keep secure and factual records of the above because the GDPR’s accountability principle means that if your data is wrong and you have passed the data on to another company, you have to make them aware of the mistake. The first step in doing that is documenting the data you hold.
3. Communicating Privacy Information
Privacy notices aren't a huge task but they can trip you up. Review your current privacy notices, on your website, email campaigns etc. and plan what changes, if any, need to be made in order to be compliant.
One big change you might want to consider taking under legal advisement is the requirement to explain your lawful basis for processing the data, your data retention periods. Consider the fact that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
4. Individual's Rights
Make sure to review your data storage set up and ensure it covers all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling
5. Subject Access Requests
Here are some of the new rules that apply to the procedure when a subject requests access to their data, make sure you're ready for the changes:
- In most cases you will not be able to charge for complying with a request - do you currently charge? Is this a revenue stream for you? You need to be ready to replace that stream by May if so
- You will have a month to comply, rather than the current 40 days
- You can refuse or charge for requests that are unfounded or excessive
- If you do refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority
6. Lawful Process for Processing Personal Data
The ICO have published a comprehensive guide to GDPR consent. It's advisable that you read through this with your team and your solicitor, ensure that your company meets these guidelines and make any changes necessary as well as updating your privacy poilicy.
For the first time, the GDPR will bring in special protection for children’s personal data. This means you will have to put in place systems that identify users' age, in case there is a need for parental consent.
9. Data Breaches
Data breaches are becoming far more common and this is mainly because of the lack of diligence companies have on their digital security. Whether you believe cyber attacks are inflated, sensational news or are simply unaware of your own vulnerabilities you will be expected to show how you intend to detect, report and investigate a personal data breach and ignorance will never be an excuse.
10. Data Protection by Design
The GDPR is making privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances. You need to know if these are relevant to your company and the type of data you store and the way its protected. Find out more in the IPO's Conducting privacy impact assessments code of practice Guide.
11. Data Protection Officers
Although you should look to your whole team, not only to come up with creative solutions to your data protection processes but to enforce them, it's always best to have one expert in your corner.
Either work with one member of the team yourself or have them work with your solicitor and put meetings in place where reports are produced to ensure your company is compliant on an ongoing basis
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. The lead authority is the supervisory authority in the state where your main establishment is.
If you have any questions on the new laws on data protection, especially in terms of marketing, remarketing, social media advertising or email campaigns, please get in touch and we can discuss what implications the new rules will have on your current processes.