Let us start by being a little controversial. We aren’t GDPR experts.
I know, shock horror! It is unusual for a business to say as there are a plethora of so-called ‘experts’ on the market.
The truth is that no one is a GDPR expert. The whole conversation on parameters is still in discussion, so how can anyone know everything when GDPR hasn’t even been fully decided upon yet?
What we are, is well versed with the fundamentals of the new regulations, which in itself is enough to help you prepare, as the core elements are not going to change, that much we do know for certain.
You’ve probably already scanned the endless resources readily available regurgitating the same information that the ICO and regulatory bodies have had to say to bring you up to speed with the ins and outs of the theoretical and legal elements of the legislation. That is all well and good but what do the new regulations actually mean to your business?
There are no two ways about it; it is almost inevitable that you are going to have to change some of your companies processes and your technology to comply with GDPR. So what changes can you implement today in order to be compliant on March 25th, 2018? Here are six pointers to get you started:
Start mapping your data
Data mapping is essential as it allows you to understand the journey of the data that your company is responsible for. It will show you where it comes from, who you share it with, what you’re storing etc. This is especially important when using multiple platforms to save customer information (most businesses can use 10-15 across several departments.)
Appoint a data protection officer (DPO)
If you store highly sensitive customer information or if you have a significant amount of records on your systems (typically 5,000 or more) then you are required to appoint an impartial data protection officer to ensure that you are compliant. The responsibility of the DPO is to liaise with your company and the supervisory authorities such as the ICO and the police, as well the data subjects, handling any complaints or questions.
Prepare yourself for breach reporting
Just to be clear, it's not a case of ‘if’ there is a data breach but more so, when. It could be something as innocent as a member of staff downloading sensitive data and emailing it to the wrong person. As you only have 72 hours to notify of any transgression, it is a smart idea to plan ahead of time so that you can act accordingly. Your plan should include key contacts and the protocol you need to follow.
Conduct a data privacy impact assessment
As well as being clued up on breach reporting, you also need to conduct a data privacy impact assessment so that you can understand what the loss would be due to a breach and who that would affect. It is incredibly important that you do this as it builds a paper trail to show that you have taken the necessary precautions to attempt to avoid infringement. This can help you minimise any damage to your business when a breach does occur.
Review 3rd party services
It is all well and good making sure that all your own organisational i’s are dotted, and your t’s are crossed, but if you share your data and workload with external providers, you need to also look at whether or not they are compliant. Where possible, you can seek to minimise the amount of data that you share to reduce your risk. You might be outsourcing the work but you aren't outsourcing the risk, and so it is your responsibility to inspect their protocols. After reviewing your suppliers, liability still rests with you, but you can at least prove that you have taken reasonable due diligence as a preparatory measure.
Make technical changes
The biggest changes that you will need to review and adjust to comply with GDPR fall under 5 categories.
- Access to details.
- The ability to edit details.
- The right to be forgotten and deleted.
- Exporting data.
For those with the technological capabilities, the answer to points 2-5 can be fairly straightforward. By digitising your processes perhaps through a portal or easily accessible links you can give your customers the opportunity to view/edit/ or even delete the data that you hold on them (wherever legally necessary: naturally, you wouldn’t just let someone delete their mortgage for instance.) One alternative to consider could be something as simple as creating a Google form. Your customers can easily request the access to edit or delete accordingly. You can tick the export box by giving the functionality to download data in a machine-readable format such as a .CSV file.
"Processing" is defined by any operation within your company that utilises personal data. Analyse the ways that you process data and your legal basis for doing so. Consent, for example, is just one of the avenues you need to look at. You have to ensure that you are using the data you have for the purpose the original permission was given for, as well as making it easy for that consent to be withdrawn.
Overall, the GPDR should be seen as a brilliant way to transform your business to the next level. Not only does it kick you into gear and work more proactively, but your security will be tighter, your processes streamlined, and your marketing campaigns will be more effective as a result, improving your bottom line. Which business owner doesn’t want that?
For further help and advice on making your business compliant and making changes to your existing technology, please get in touch. Whether it's carrying out a data privacy impact assessment, or help and advice reviewing your current set up and how you can do things differently, Tandem can help you. We work closely with you to determine what services make sense for you, ensuring that you have a solution tailored to your needs: giving you complete peace of mind. Contact us today by calling 01204 860050 or emailing us on email@example.com.