The General Data Protection Regulation (GDPR) is accelerating towards its initiation, with only 100 days left from today! Is your business ready for the new regulations? Here’s a short checklist that you can use to make sure you’re on top of the impending change and avoid some nasty fines.
First things first, if you don’t know what the GDPR is, it’s essential that you educate yourself. Regulators aren’t interested in ignorance as a defence, and getting unexpectedly caught breaking the rules could have disastrous results. You can get a more detailed account of what the GDPR is and how it might affect you in our blog, Are you ready for GDPR?
In a nutshell, the GDPR is a new set of rules designed to protect consumers and their personal data. Any business that deals with the EU and stores customer data will – from May 25th – need to take steps to better protect customer data and provide greater transparency. For instance, a customer’s personal data can only be shared if they have given their expressed permission.
Now that you are aware, make sure that all the key decision-makers in your business are also aware of the law change. They need to appreciate the impact and how it will change operations and think about taking steps to prepare, such as…
Make an inventory of your data
Before knowing whether you are complying with the new GDPR legislation, you need to understand what data you hold, who you share it with, and where that data came from. The GDPR requires you to maintain records of your processing activities, and take responsibility for any inaccurate data (e.g. if you share inaccurate data, you need to inform those you shared that data with so they can update their records).
Keeping track of what data you have and where you have shared it will make complying with GDPR significantly easier.
Check your procedures cover individuals’ rights
The GDPR provides rights to individuals, including the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right to not be subjected to profiling or other automated decision-making. These are similar to those of the Data Protection Act (DPA), so you may already be in a situation where you can provide these rights with minimal changes. It’s a good time to check that your procedures are good enough – how would an individual contact your company to implement their rights?
One new regulation is the right to data portability. This applies to personal data an individual has supplied to a controller, where the processing is automated but based on the individual’s consent. Businesses must be available to provide personal data in a structured, commonly used, and machine-readable form, such as CSV files. This must be provided free of charge and within one month of the request.
Review how you seek consent
Consent regarding data is more than just a regulatory requirement, it’s also a way to build trust with your customers. There has been a lot of scepticism and distrust in regard to how businesses use data, and making sure your customers have easy access to giving or refusing consent will make your business seem more transparent, and therefore trustworthy.
Check how your consent procedure works, and that it meets the GDPR standard. Now is a good time to refresh your consent, ensuring that a clear ‘opt-in’ option is available and pre-ticked boxes or similar tricks are not in play. Consent needs to be clear and concise, name third-party controllers who rely on the consent, and not as a precondition of a service.
An item that’s come up in the news a lot in the last few years is consumers finding out that their data was hacked from an organisation years after it actually happened, such as Yahoo or Uber. This is no longer going to be acceptable for businesses operating in the EU.
If a business detects a data breach, they need to report it immediately (within 72 hours) to the ICO. If the breach is likely to result in a high risk of adversely affecting individuals, you must also inform those individuals.
Have a system in place that allows you to detect data breaches as they happen. You should ensure the relevant people in your company are knowledgeable and skilled enough to detect a personal data breach, and what exactly constitutes a ‘personal data breach’ (it isn’t only about data theft). Put in place some procedures that mean you have a plan of action upon discovering a breach, and a checklist for preparing and responding to it so that your actions are complying with GDPR.
Those are our top tips for preparing for the GDPR. It’s only 100 days away so it’s time to get on top of it! Do you need any help preparing for the GDPR? Get in touch and we’ll be glad to assist you.