What is GDPR and how to prepare for it
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a European regulation that is coming into force on the 25th of May 2018 and as per official website was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
When is it coming into force: GDPR will come into force on May 25 2018.
Who is managing it: The Information Commissioner’s Office
More info: Read the official guide to GDPR and full regulation to find out more.
Who should obey it
GDPR legislation will affect any European Union member state business offering goods or services and managing personal data. It aims to provide consistent and comprehensive tools to help people manage and protect their information.
However, if your company trades or provides goods & services to European customers and stores, shares or processes their data, the GDPR rules will also apply.
Fines: Up to €20,000 mln or 4% of annual global turnover.
Essentially this is an EU (and UK) regulation that’s coming into power at the end of May and has to be respected by all business and organisation processing people’s data, whether it’s customers, prospects or/and employees. Anyone can also request access to information business have on them and can ask to have their details removed.
Key rules that will apply:
- The right to be forgotten: People will have the power to refuse to have to their data processed and the right to ask for their data to be erased.
- The right to access their own data: People will be able to access information on how their data is processed in a clear and understandable way via Subject Access Requests (SARs). Plus, a right to data portability, making it easier for the transfer of personal data between service providers.
- The right to know when your data has been hacked: This is a huge one in today’s age and constant data breaches. Organisations will have to notify the national supervisory authority of serious data breaches as soon as possible (normally, within 72 hours) so that users can take appropriate measures.
- Marketing consent: Also, the rules for obtaining consent have been refined. Organisations will be need clear records to show a date of consent, what has been consented to, the method of consent and who obtained it.
What does it mean in practice? In a broad sense – it means that all departments that store and access any customer and employee data will need to be compliant and meet the below-mentioned requirements.
To do-do list:
- Review where customer data is stored.
- Reach out to all team members to confirm if, how and where they store the data.
- Some of the examples include: website and offline form submissions, competitions, job applications, event attendee lists, reservations & cancellations, complaints, contractors, employees and ex-employees details.
- Check all the sources of customer data.
- Confirm if and where the data comes from.
- To make it easier for yourself, create a spreadsheet with data origin, who stores it/manages it.
- Verify all the places you pass the customer data onto and how the data is being used.
- Reach out to all team members to confirm who they pass the individuals’ details onto.
- These include and aren’t limited to: OTAs, partners, resellers, suppliers, event venues, internal teams.
- Ensure a protection for any personal data being processed by others on your behalf that is transferred outside the European Economic Area.
- Reach out to all team members to confirm who they pass the individuals’ details onto.
- Document it all.
- Verify what base you have to use these details and whether people expressed their consent. Make sure you have this information saved too as you cannot process any data without a consent.
- Review how you ask people for consent.
- Here are some great examples of obtaining a marketing consent in-line with GDPR.
- Check if your business has a system to manage ongoing consent
- If it doesn’t you will either need to securely delete all the data you can request it again by contacting individuals on your list and prompting them to opt-in.
- Ensure you registered you business with the Information Commissioner’s Office.
- You can register your business here.
- Update your contacts with an revised privacy notice.
- Ensure you offer individuals access to their personal data.
- Best way to do so is to set up a CRM system, if you haven’t got one already.
- Set up processes to ensure that the personal data you hold remains accurate and up to date and that there are people and procedures in place that respond to individuals’ requests of removal, objections against processing their data and any other data-related requests.
- Nominate a person responsible.
- Have a process to securely dispose of personal data that is you no longer require. Ensure you have tools in place to dispose data an individual asked you to erase too.
- Create and implement an appropriate data protection policy.
- Monitor your own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
- Provide data protection awareness training for all staff.
- Communicate GDPR policy to all your departments.
- You need to be able to prove your employees received a communication about GDPR.
- Ensure you have a written contract with any data processors you use.
- Your business needs to be able to manage information risks in a structured way so that management understands the business impact of personal data-related risks and addresses them effectively.
- Review your data protection and data processing activities and implement appropriate technical and organisational measures.
- Make sure your business understands when you must conduct a DPIA and has processes in place to action this.
- Implement a DPIA framework.
- Nominate a data protection lead or Data Protection Officer (DPO).
- Introduce an information security policy supported by appropriate security measures.
- Implement processes to identify, report, manage and resolve any potential personal data breaches.
Good luck!