GDPR is the new buzzword…or buzz-acronym, barely a day goes by that we don’t see an email or tweet regarding GDPR, its effects, and what products you should be buying to help you with it. We decided it would be worth sharing information on GDPR and what steps our customers should be taking to prepare for it.
What is it?
Before we go any further we want to confirm what GDPR is. GDPR stands for General Data Protection Regulation, it will apply in the UK from May 2018 (and Brexit will have no effect on this) it will replace the existing UK Data Protection Act 1998. It will change the way all UK companies store and manage their business and personal data including employee data with the intent of strengthening and unifying data protection for all individuals. It will give people more control over how their personal data is used, and it will give businesses a simpler, clearer legal environment in which to operate.
Where to start: Complying with GDPR
We have seen a lot of companies discussing GDPR and telling you why buying their product is the key to GDPR success. Truthfully, there is no magic product you can buy that will help you comply with GDPR. Organisations need to start by understanding their own data – what data they have, how they are storing it, how they use the data, and why they are keeping it and in turn carry out a risk assessment on that data. Data includes information you hold about your staff, your clients or service users and potentially, data that you might store on behalf of clients through services that you provide to them. Once this review is complete, you should update your internal information security policies to ensure you are taking appropriate steps to protect the information, and are using it in a way that wouldn’t be a surprise to the individuals concerned. There is plenty of information available on line that explains how you are allowed to collect and user data under the new rules, we’ve posted some reliable links below. It’s important to note that there are numerous changes, especially around consent to market to your contacts, and there’s a good chance you’ll need to review your marketing processes as well as reviewing your website privacy notices, and potentially your service terms and conditions too. In order to comply you first need to understand the information that you are storing and using, and there’s no time like the present to start that audit process.
Although IT plays a key role in GDPR it doesn’t have to be a big issue, understanding your data is the most vital task to start with and should be seen as a business process job that you can do internally. So, don’t panic about the IT aspect of GDPR, start preparing now so you have plenty of time to comply with the new law.
You need to appoint one of your team to act as your data protection officer. Some organisations may decide to outsource the data protection officer role, either way, it is important that the data protection officer has sufficient time, resources and authority. It’s certainly not a quick fix or way to avoid the act.
We recommend:
- reviewing your data,
- start updating privacy policies
- have a look at the ICO’s advice as the first steps to complying
Where can I get impartial reliable help with GDPR?
The information Commissioners Office or ICO should be all organisations first port of call, there is no hidden agenda with the ICO, and they are not trying to sell you anything. Our advice is visit the ICO website, sign up to their newsletter which gives regular updates on GDPR, the ICO also have a very useful guide called GDPR: 12 steps to take. There is a wealth of information on privacy notices – how to write them, what to include. They have information on the ICO’s priorities in the coming months with Guidance: what to expect and when and finally some useful links for people who want to do more reading around GDPR.
