How will GDPR affect you?
We at Regulatory Index have trawled the Internet, watched endless videos and suffered sleepless nights over these new laws coming in to place on the 25th May this year. However, it doesn’t seem to be as onerous as you may think once it is broken down. Whilst we are no experts and certainly recommend that you take independent advice to determine your own responsibilities with regards to General Data Protection Regulation (GDPR), we have listed 10 tips that could help you prepare for these new laws, which are being updated for the first time since the 1990’s when Data Protection laws were first introduced.
Ready, Steady – GO...
- Organise your Data
Store all of your data on employees – suppliers – customers all in one place and in an organised manner. If asked to supply information on any individual or company then you need to be able to do this quickly, efficiently and as accurately as possible. If you were ever unlucky enough to be investigated by the GDPR then you need to show that you have taken every possible step to prove you know exactly what data you have on everyone.
Remember – Personal Data is any piece of information you have that could identify a person.
- Secure Data
What measurements do you have in place to avoid data being leaked or hacked? If storing digitally – what measures do you have to ensure this data is secure? Is it in the Cloud? Do you have anti-virus software installed on all your devices? If any of your devices were lost or stolen, could you easily wipe any information you have stored? If your data is stored on hard copy, is it safely locked away in a fire proof filing cabinet? Record all of this in your Risk Assessment and this will make sure all of your team know and, should you be investigated, it shows you have taken all the necessary steps to comply. You need to make sure your data is always in safe hands.
- Let it go!
Don’t hold on to data unnecessarily. This is very important – you cannot hold on to data if you don’t have a need for it and you don’t know what you are going to do with it. Don’t keep it “just because it might come in handy in the future”. You need to prove that all data you have is for the correct purpose and in use.
- Processing Notice
- What information is being collected
- Who is collecting it
- How is it collected
- Why is it being collected
- How will it be used
- Who will it be shared with
- What effect will this have on the individuals concerned
- Is the intended use likely to cause complaint or objection to an individual
- Information on an individual
You must have a process for providing the information you have on a person should they ask for it. With the new law, this has to be provided within one month of them asking and FREE OF CHARGE. Ensure your process allows you to gather this information quickly to avoid any delay.
- Deleting Data
Have a process for deleting data when asked. Make sure you know where every piece of data is stored so that you can easily wipe it clear.
- Positive Opt In
Allow people to “positively opt in” to you storing their data and using it for marketing purposes. You cannot use pre-ticked consent boxes under the new regulations. A person wishing to subscribe must be able to tick the box as their choice.
- Try a layered opt in form
This means someone has to take an action and has an easy understanding of how their data is going to be used. Allow them to click on a button giving further information to make things really clear.
- Opting Out
Make it easy to opt out – information must be really clear. A strict policy needs to be in place so that anyone opting out will not receive any further information. This is where you can really fall short of the new regulations. With emails, text messages and call services make it clear they can unsubscribe. Don’t use any small print.
- Make your team aware of the new GDPR Laws
Email all your employees making it transparent that you are complying. This is where you should appoint a Data Protection Officer (DPO) giving this person full responsibility for enforcing all your processes.
25th May is coming soon – make sure you are COMPLIANT to avoid sleepless nights and possible fines of up to €20 million!
This is Regulatory Index's interpretation of the GDPR as it stands. We have considered the content of GDPR and its intent and meaning, however this is a high-level overview and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. We recommend you work with a legally qualified professional to discuss GDPR, how it applies to your organisation and how best to ensure compliance.