With under 3 months until the EU’s General Data Protection Regulation (GDPR) comes into play, replacing the previous Data Protection Directive, it’s really time to think about what it means for your business and what changes you will need to make. The fines for non-compliance are 2-4% of turnover or up to 10 million Euros, whichever is higher, and are designed to make you sit up and take notice! Whilst at first glance the GDPR is a complicated beast we’ve broken it down to help you on your path to compliance.
So that’s the scary bit, but we also want to reassure you that this exercise can really strengthen your business! Preparing for the GDPR will ensure that you are following best practice when it comes to data handling and putting your customers in charge of their preferences and data will mark you out as a company committed to using data sensitively and ethically!
Here’s how you should start preparing:
Nominate someone (maybe yourself!) to take responsibility for learning about GDPR and making sure it happens. Make sure their workload is tweaked to allow them to spend proper time researching, training staff and implementing new ways of working.
Quite simply audit your data. Learn about how you’re collecting it, where you’re storing it i.e. on a computer, in the cloud, on a server? Then look at your systems, are they fit for purpose, do they need updating? The ICO have a wealth of resources on their website including self-assessment audits so take a look.
Put the individual first
This is the essence of the GDPR, putting individuals first and in charge of their own data. So this falls into two categories:
- Current data
Data gathered before the 25 May 2018 that doesn’t meet the new standards of consent can’t be used. Individuals need to opt-in again. BUT be very careful about reaching out as even big players such as Honda have been fined for doing this incorrectly.
- New data
You need to think about not only how you are going to get individuals to actively opt-in, and best practice is a double opt-in, but also how you are going to communicate with them about the changes and what you’re using their data for. This means updating your website, privacy messages, looking at e-newsletters and so on.
Prepare for the worst
The GDPR puts an obligation on businesses to report all personal data breaches if it’s likely to result in a risk to an individual’s rights and freedoms within 72 hours. So alongside making sure your data collection and storage methods are as robust as possible, you need to develop a breach plan.
If all of this seems too daunting then don’t be afraid to seek expert help. Legal experts are available to come into your business and conduct an audit with a clear action plan.