The new data protection regulations (GDPR) are literally just around the corner. If you’ve left it a bit late to get your act together, worry not, these 12 steps to GDPR compliance will help you get it nailed before the 25th May deadline.
With a little help from our friends at The Computer Clinic, Bicester, Morgen HR and Carbon Law, by the end of this article you will be well on your way to GDPR compliance. Push Start Marketing recently attended a seminar on the subject, run by these good people and found it far less daunting than we had imagined. Please do not think you are up against a whole lot of confusing legal language and hoops to jump through, if you don’t try to mislead or trick clients into email sign up you’ve probably got a better handle on it than you think.
NB: No-one’s going to be knocking down your door on 26th May demanding to see your precautions in place, but at the very least you need to demonstrate you have a plan…
What is data?
Any information you hold, in electronic or paper form, that can be used to identify an individual, not companies, within Europe. The rules will apply to the processing of personal data, which means collecting, using, disclosing, retaining and disposing of information.
12 steps to GDPR compliance
We would recommend that you speak to your IT provider, HR consultant and/or a legal pro at some point during this process, to make sure that you a) cover all the bases and b) get a GDPR ‘health check’ if you want guidance or assurance.
Tip: Before you go through these points, begin your ‘GDPR plan for compliance’ document. Simply make a note of the 12 steps and assign responsible persons and dates to each one. Include notes on how to implement each step...
1. Awareness
Make sure all your key people are aware of the impact the changes might have; business development managers, sales teams and marketing teams may be worried about a drop-off of leads. Customers may need reassurance that their data is safe during the changes.
2. Information you hold
Get a process in place that documents what personal data you hold, where it came from and who you share it with. Who else has access to it? At this point a written plan to start keeping note of this would be a good idea. If you don’t know what this could look like, ask your HR consultant.
3. Communicating privacy information
Review your privacy policy on your website. If you haven’t got one, or you don’t know what review points you’re looking for, ask your website, IT provider or marketing agency.
4. Individuals’ rights
Make sure the policies on your website (and within your company) and your procedures cover people’s rights to access the data you hold on them, and have it deleted. It should be as easy to opt-out as it is to opt-in.
Did you know: You can request a copy of all the data that is held on you from a company. That company can only charge you up to £10 to provide it. So, to save costs in the long run of reporting to clients on the data you hold have a process in place to make it easy to provide (will help with the next point too).
5. Subject access requests
GDPR’s new timescale for producing the data requested is now 30 days, as opposed to the old 40 days with the Data Protection Act (1998). Do you have a process in place for completing the requests within the new timescale?
6. Lawful basis for processing personal data
Within your privacy policy on your website, it should include lawful reasons for processing personal data. For example, if you provide estimates for services and you hold that estimate on file, you must tell your customers how long you will hold it for.
7. Consent – THE BIGGY
Have all your contacts consented to you holding their data? This is referring to opting into your email list. You must make it clear that they are opting in to receive email marketing. You cannot link signing up for a guarantee, discount, promotion or other service as consent to receive marketing emails. Gaining consent is covered in our next Social Media Series blog – GDPR and Mailchimp lists.
NB: Emails that start with a generic info@, hello@ admin@ etc are not subject to 'opt-in' rules under consent, as they do not identify an individual.
8. Children
Do you need to include ‘age’ in your data? Do you need to include parental consent for holding data on a minor? If so, start to put a plan together for the procedure that will cover this.
9. Data breaches
A data breach happens when your systems are compromised and the personal data you hold may be leaked. For example, a lost phone, laptop or computer virus. You need to have a procedure in place on what to act on in this instance such as wiping data remotely. Your IT professional can help you here.
10. Data protection by design and data protection ‘Impact Assessments’
The Information Commissioner’s Office (ICO) has a code of practice regarding Privacy Impact Assessments (PIAs), which is all about managing the risks around handling data. Then there’s the Article 29 Working Party, an advisory body made up of representatives from the European Commission who oversee the implementation of the Data Protection Directive. This step refers to the plan you are currently making on how and when to implement the guidance into your system. Your legal team can help you here.
11. Data protection officers
Is there one person in your business who will be responsible for data protection compliance? You may not need one, so it is a good idea to find out. Ask your HR consultant if you need help.
12. International
Do you operate within more than one EU member state? Are you clear on all data protection policies that may affect your operations? The Article 29 Working Party guidelines will help figure this out.
Has GDPR just blown your mind?
Don’t worry, take it step by step, make notes on a master plan, assign responsible people to take on tasks and remember, if you can get your privacy policy up to date and have asked all your email contacts to opt in, you’ve tackled the major part!
Help is available from Daniel Reeves at The Computer Clinic, Helen Lawrence of Morgen HR and Natalie Murray of Carbon Law. Further reading is available from the following links:
https://gdpr.report/
The ICO
The Article 29 Working Party, blog from ICO
When you need a Data Protection Officer, from the ICO