What is GDPR?

The General Data Protection Regulation (‘GDPR’) will be in force on 25th May 2018 with the aim of giving citizens more control of their personal data.  The law will be enforced across Europe, including the UK, but will also have a significant global impact.

How does it affect my business?

If you currently hold personal data on any customer, prospect or employee based in the EU, this change applies to you.  Failure to adhere to the rules and regulations can result in a fine of up to €20m or 4% of your annual turnover.

Data protection should now be seen as a compliance issue with a cultural aspect; people care about their personal data and your business should respect that.  This small cultural change can avoid a huge financial risk.

What changes do I need to make?

The rules are very lengthy and complex and can seem overwhelming to most.  Our advice is to firstly accept the changes with an optimistic mind-set, to fight against them is pointless and the changes will have a positive impact on the way you currently manage your internal and external data.

Step 1 - Data Mapping

What data do you hold, where does it come from, what you do with it, who you share it with and who has access to the data?

Step 2 - Clean Up

Why are you storing the data rather than deleting? How long do you need this data for?

Step 3 - Security

Take steps to safeguard your data including who you share it with and whether they have the correct security measures in place.  Encrypt what you wouldn’t want to disclose.

Step 4 - Documentation

Review what documentation is currently in place for Data Protection, does this cover the new changes? Do you have a Privacy Policy and Statement?  If not, create the documentation required.

Step 5 - Procedure

Establish procedures for the way you handle personal data.  How consent is given, what is the process if an individual requests their information to be deleted, how will you ensure the data is deleted across all platforms, can you transfer data of an individual, how can you confirm that a person is who they say they are, what is the communication plan in place in case of a data breach?

Step 6 - Employee Data

Employee data is also covered under this new law, what do you need to hold as mandatory for an employee and what is optional?  How long do you need to store this for and how do they request access to it.  Do you need a separate policy for employee data?

Step 7 - Communication

Create a security aware culture in your business.  Define roles and responsibilities around this and hold training if required for employees.

Step 8 - Be Prepared

Expect the best but prepare for the worst!

Are you ready?

Don’t fight against this, whether you’re a multinational company or an SME, you are required to transform your business to ensure adherence and compliance to this ruling; look at your policies, structure and personnel and make the changes you need to be prepared.

Let’s put a positive spin on this, see the changes as an opportunity to re-present yourself to your customer base and prospects.  Show them you care about their privacy and are taking steps to protect their rights.  This topic can only build trust and enable a stronger working relationship.

We hope you have found this useful, let’s all be ready for 25.05.18!!

Leave a Reply