Two months ago we mentioned that you should start preparing for the effects of the General Data Protection Regulation (GDPR) soon. The Information Commissioner’s Office (ICO) has gone one step further and suggested you should begin now. For all of us in email marketing and data retention their 12-step advice document is a must read. See: https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf
The document is written in clear, precise language and is an easy read. And read it you should, and now despite the GDPR not becoming law before mid 2018.
You need to ensure that key people and decision makers in your company are aware that changes are coming.
2/ Information you hold
You need to start cataloguing the personal data you hold and all the details of it, such as whom you share it with. Ask yourself how long it would take you to organise and perform an information audit and whether you have the staff with the necessary skills.
3/ Privacy notices
Review your current privacy notices, in other words the information you give to the someone when collecting their personal data, such as how you will use the information.
4/ Individual’s rights
The main rights for individual under the GDPR are:
- Subject access,
- To have inaccuracies corrected,
- To have information erased,
- To prevent direct marketing,
- To prevent automated decision-making and profiling, and
- Data portability
5/ Subject access requests
You need to work out how to handle such requests within the new time limits.
6/ Legal basis for processing personal data
You must not only identify the legal basis for your use of data but document it.
The GDPR requires you to demonstrate that consent was given for everyone on your email marketing list for instance.
How do you verify the age of a person, or gather the permission of a parent or guardian?
9/ Data breaches
You will probably require new systems to detect, report and investigate any breach of personal data.
10/ Data protection
The ICO has produced guidance on Privacy Impact Assessments but you will have to consider how your will implement them. Privacy by design is the catch-phrase. It is a requirement as well.
11/ Data protection officers
You need to know if your company requires a Data Protection Officer and ensure that their position is clear to them and everyone else. The ICO reckons that the GDPR is quite clear that for data controllers, documentation is the new must have. And finally:
If you do business internationally, you need to work out which supervisory authority you come under. It is, unfortunately, not always clear, and there is a possibility that it might change.
If it seems a lot to do then I’ve managed to convey the second most important aspect of this. The vital one is that you need to start planning now. If you have a trade body or association, chase them up for their advice and suggestions.
We will cover the specific items in depth in future articles. In the meantime, get planning.