The European Union’s General Data Protection Regulation (GDPR) has quickly become a topical subject as the May 2018 deadline draws nearer. GDPR is designed to harmonize data privacy laws across Europe to protect and empower all EU citizens data privacy, and is sure to reshape the way organisations approach data privacy. As worldwide pressure continues to mount we’ve put together our Top 10 GDPR Tips for getting GDPR ready:
1. Start preparing now
Raise awareness internally with staff across your business so everyone understands what GDPR is, why it is in place and how it will affect the business. It is highly likely your staff will also be affected by GDPR as an individual, so this will be a good opportunity to ensure your staff understand the rights. Passing on GDPR tips and guides internally will help staff get on-board faster.
2. Find out what data you have
…. And where it is. The data affected is ‘personal data’ of a business’ individuals (or even the passer-byers of your shopfront). This means any data which can be used to identify an individual, or links to identifying information, falls under the GDPR regulation. Businesses don’t have to burn the data they collect between now and May 2018, however knowing the virtual and physical spaces where information about individuals is kept is important.
3. Get rid of data you no longer need
De-cluttering or ‘cleaning’ your data helps focus on the important information and metrics used to create value between a business and its consumers. Creating a checklist and getting rid of information no longer needed will help when individuals send for a Subject Access Request (see point 8).
4. Understand there are no boundaries
Businesses outside of the EU may think GDPR won’t apply to them, but they would be mistaken. If your business is collecting data in the EU about EU citizens the GDPR regulation applies. For international and multinational businesses point number 8 will be particularly critical for you. There is a reason they are calling it the biggest change to data privacy in 20 years!
5. Know about the special requirements
Identifying and preparing for these special GDPR requirements ensures businesses are not fined up to $20 million Euros or 4% of worldwide turnover (whichever is highest) if their privacy policies are not GDPR compliant by May 2018. For example, businesses may require parental consent when processing data relating to children under 16 years of age, whereas for children aged 13 and under parental consent is always required.
6. ‘Unambiguous consent’ will affect marketing
One of GDPR’s headline rulings is the introduction of ‘unambiguous consent’ before user’s personal or behavioural data can be used for marketing purposes. As part of initial contact with individuals it is important they understand every aspect of what they are agreeing to when giving up information about themselves.
7. Update security data policies and procedures
Once internal stakeholders are aware of what GDPR is, management have a clear location and outline of the data they currently hold, businesses can update their security data policies and procedures to reflect GDPR regulation. Depending on the size of the business, the top three departments involved in this will be legal, IT and marketing and advertising.
8. Make it a part of your working life
By 2022 there will be over 11 billion smart devices in the world connecting and sending out information with other smart devices. If a business regularly monitors or processes personal data on a large scale appointing an in-house Data Protection Officer (DPO), and for any business partnering with a company who is GDPR compliant in collecting and analyzing data about individuals will make the transition easier.
9. Be prepared for Subject Access Requests
When an individual wants to see a copy of the information a business holds about them they will send for a Subject Access Request. The information includes whether any personal data is processed, a description of personal data and reason why it is processed and if it will be given to any other organisations or people. Following the previous seven steps will help businesses identify this data easily and fulfil the request for information within the required 30 calendar day deadline with the Information Commissioner’s Office checklist.
10. GDPR compliance by design
If you design all the GDPR processes to fit the regulation, you’ll only have to do it once for it to be right. GDPR is a long-term outlook for companies to regulate the data collected from customers. The Internet of Things and Big Data is not a movement, it is an evolution of how people connect and engage with each other and their physical surroundings. Getting GDPR compliant by design from the get-go ensures you only need to read our GDPR tips once and gets your business ready for the May 2018 deadline.
Read the GDPR tips but don’t want to have to delete data collected between now and May 2018? Read more here.