Back in April 2016, the rules around General Data Protection Regulation (GDPR) were approved by the EU parliament, and now we’re nearing the enforcement date, which is set to be 25th May 2018.
GDPR will replace the Data Protection Directive, and has been put in place as a way of bringing together Europe’s data privacy laws. However, this does mean things will have to change when it comes to how you collect, share and use data. To help, we’ve put together a handy guide on the steps you need to take to ensure you’re on top of GDPR.
Spread the word
First of all, make sure everyone in your business knows of the upcoming changes and how this will affect the way they work (if it does at all). It would also be a good to place somebody in charge of data, so that they’re able to keep tabs on the way it’s handled.
Audit your information
According to the new GDPR, you’ll be required to hold records of the processes you’ve undertaken to collect your data. This means knowing what personal data you hold, where you got it from and who you have or will share it with. To get this right, it’s worth starting an in-house audit now, where you can document the info you have and ensure you have the evidence you need.
Communication is key
When it comes to letting people know that you’re using their data, GDPR will present a review of this too. Just as an example, with GDPR you’ll need to explain your lawful basis for processing the data, your data retention periods and that people can complain to the Information Commissioner’s Office (ICO) if they believe you’re misusing their data. Plus, the way you communicate all of this must be easy to understand and simple to read.
You’ve got the right to data
GDPR will also be hot on individual rights, meaning you’ll have to check your procedures are in line with their expectations. From how you delete personal data, to data portability, you’ll need to ensure that processes are in place if, for example, someone were to request a data removal. Luckily, the differences between the current DPA and GDPR aren’t that big, so if you’re already on top of everything, you’ll find the transition a breeze.
Stay above the law
Have you thought about your business’s lawful basis for processing personal data? Well now’s the time. Despite the current laws not showcasing many implications for the way businesses process data, under GPDR accountability requirements, individual’s will now have a stronger right to have their data deleted depending on how lawful your data processing is.
How do you gain consent for collecting data? Although too detailed to list here, you can explore the GPDR guidance to consent issued by ICO, which looks at the best practises. One change worth thinking about is that with GPDR you must receive a positive opt-in from individuals – consent doesn’t include silence, pre-ticked boxes or inactivity.
Although our guide covers a lot of what GDPR will expect, it only covers the very basics of the upcoming changes. To learn more, check out the ICO where they currently have more information on GDPR and what this will mean for your business. In the meantime, if you have any queries on the way your website or email marketing collects data, be sure to contact a member of our team today.