Getting Ready for GDPR: One Month To Go
Reading Time: 4 minutes
With less than one month to go until GDPR is enforced, businesses need to take action.
The General Data Protection Regulations have been created by the European Union and are enforced by the Information Commissioner’s Office.
The aim of the regulations is to enforce stricter rules about how personal data can be handled.
Businesses need to act now if they haven’t already, to prepare for the 25th May 2018 deadline.
The ICO have outlined large fines for non-compliance totalling €20 million or 4% of a company’s global annual turnover.
However, in a recent blog post, they reassured businesses that fines were a last resort and the main aim of the GDPR regulations is to protect personal data.
The best way to make sure that your business isn’t penalised is to cleanse your database now, before the deadline.
Although GDPR concerns all data types, we will focus solely on marketing data here.
For all uses of personal data, businesses need to identify and log which lawful basis they are citing when processing data. In total, there are six lawful bases:
- Performance of Contract
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
However, businesses who intend to use ‘legitimate interests’ for all of their data should take caution.
This basis cannot be used as a cover all reason to process their data. You should review your lawful basis for processing data on an individual basis.
Furthermore, if you plan to contact your database to attain double opt in consent for marketing purposes, this contact should be made before the new regulations come into effect.
Contacting non opt-in data after the deadline has passed may also result in a fine.
Refreshing Privacy Information
This is because companies need to clarify how they intend to use data moving forwards.
Before the changes come into effect, you need to make your contacts aware of changes you are making to data processing within your company.
You should be transparent about how you intend to use the data you collect and the statement should be simple to understand.
Once you have updated your policies these should be circulated to your staff members and contacts. They should remain in an accessible location should anybody want to check them in the future.
Preparing For The Worst
Companies should prepare themselves should there ever be a problem with the data or a data breach.
You should conduct tests of your system both at a physical, technical and organisational level. Tests can be used to check that a system is secure in the event of an attack.
Penetration testing is one way that companies can ensure their systems are secure. The results of these tests can be used to create contingency plans and to further improve system security.
Staff training is an important element of the preparation phase. Staff members should be made aware of the correct procedures for reporting data breaches.
They should also be informed that they may not be penalised personally for reporting a breach. It is better to report breaches than to cover them up.
Companies must use compliant data collection processes under GDPR. Processes should be put in place to ensure that contacts are notified of what you are doing with their data and why upon signup.
Historic data also needs to be checked and brought up-to-date.
Businesses should be cautious and make sure that they are fully compliant with the regulations well before they come into effect.
Complying With GDPR in the Future
The new regulations don’t start and stop on the 25th May.
They should form an ongoing consideration for companies from this point forwards.
Although hefty fines may be issued for non-compliance, the main reason for the new regulations remains protection of personal data. Putting a plan in place to work towards that goal is essential for future success.
GDPR is not a reason to be concerned. Simply follow the guidelines outlined by the ICO, inform your teams and cleanse your marketing data well in advance of the deadline.
For more information on how to prepare for the upcoming GDPR regulations, download our whitepaper.
Disclaimer: The materials and information contained herein are not intended to convey or constitute legal advice. You should seek your own advice specific to your business’ requirements.