Unless you’ve been living under a rock recently, you’ve probably heard about GDPR and how it’s set to shake up the way that businesses use and manage the personal information of their customers and contacts.
We’ve read a lot of material recently that explains what GDPR means, but very little practical advice about what needs to be done to comply with the new regulations. So, we thought we’d put together a simple 10-step guide to GDPR and what you need to do.
If you would like a bit more detail about each point, read on…
Step 1 — Know what’s coming and understand the impact of GDPR on your business
Step one is pretty simple; understand what GDPR means and how it will affect your business. The fact that you’re reading this means you’re already on your way to completing this step — good job!
GDPR stands for the European General Data Protection Regulations and it introduces policies that will affect everyone. The new regulations come into effect on 25th May 2018 and relate to the safekeeping of personal data, as well as an increase in fines for serious breaches and non-compliance.
No matter how big or small your firm, you will handle personal information in some form or another and GDPR rules that these data must be protected. This doesn’t just apply to data collected online, but also to physical and printed data including contracts and your filing cabinet contents!
Step 2 — Make an inventory of all personal data
To understand what action you need to take, you first need to know what personal data you hold, who the data belongs to, where and how it is stored.
You will need to have a record of all your data and all your data processing activities, in order to comply with the regulation. GDPR coming into effect will force you to ensure that your data is organised and easily accessible.
Step 4 — Individual’s rights
Under GDPR, anyone who’s data you hold has the right to request all such information at any time. They also have the right to that data being deleted from your records; “the right to be forgotten”.
If you’ve already completed Step 2, it should be easy for you to provide this information upon request. It should also simplify the process of deleting their data should they request that you do so.
Step 5 — Consent
You need to be able to prove that the people you are contacting have given you their “unambiguous consent” through “affirmative action” in order to send them marketing communications.
In a nutshell, this means you must have a record of when and how every person on your marketing list(s) gave their consent to be contacted. You also need to be able to prove that they agreed to consent “freely, without coercion, undue incentives or a penalty for refusal”.
This means that you cannot try to persuade users to opt-in by offering them a prize or some other benefit like a discount or a whitepaper. Equally, you cannot penalise them in any way if they chose not to give their consent.
The easiest way to do this online is to include an opt-in box on all contact or registration forms. However, opt-in boxes must be unticked by default. Consent can no longer be surmised from pre-ticked checkboxes during the sign-up process or from tick boxes that ask the user to opt-out of marketing communications.
GDPR also means that consent can no longer be assumed for customers when it comes to marketing. You can still contact your customers for business-related correspondence, but you must be able to prove that they have given their consent to be contacted for any other purpose. Therefore, any data previously collected without clear, verifiable consent cannot be used, even if you’ve known the person for years.
Finally, individuals have the right to withdraw their consent at any time. It’s your responsibility to make sure you have the means to facilitate this and that you inform your contacts of how they can do this. Usually, this can be done with an unsubscribe link in email marketing, but you should also make it clear that this can be done by contacting you directly.
Step 6 — Data Protection Officer
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. If you need a DPO and your business has fewer than 250 members of staff, you can share a DPO with another company.
However, we recommend appointing a single point of contact within your organisation to manage your data protection responsibilities, even if you aren’t required to appoint a DPO under the new regulations.
Your DPO should:
- Understand how GDPR relates to your business and what responsibilities you have in order to comply with the new regulations
- Have oversight of all personal data that you hold
- Be in a position to provide an individual’s information should it be requested and be able to delete an individual’s information if required
- Understand the rules regarding consent and manage the process of collecting consent from existing and future contacts
- Plan for data breaches and know how to react if a data breach occurs
The ICO provides detailed information about the GDPR requirements for data protection officers.
Step 7 — Data breaches
There is a new policy for reporting data breaches in accordance with GDPR. Ideally you should report the loss or breach of data within 24 hours, however, you have up to 72 hours to do so. Be aware that the failure to report data breaches will result in big fines, as well as any possible fines you might receive for the initial breach.
You will need a plan of action for a data breach — it should include notifying anyone affected by the breach. You should also notify them if the data loss or breach can lead to discrimination, damage to reputation, financial loss or loss of confidentiality. If the breach is deemed to be sufficiently serious to warrant notification to the public, the organisation responsible must ensure they do this without delay.
In order to reduce the risk of a data breach, you should adopt a proactive IT security policy. You should ensure your mobile devices and computers are updated with the latest software and operating system version and use strong passwords that change regularly. You should also encrypt your data so that even in the event of a breach, your data cannot be accessed.
Step 8 — Your website
You should review any contact forms or registration forms to make sure they are GDPR compliant, including the correct method of consent opt-in as outlined in step five.
You should also consider how your contact forms are processed once submitted. For instance, does the form email you with the response? If so, does it use a secure mail server? If the form stores submitted information on your web server, is that data protected and could someone access that information if your website was hacked?
Step 9 — Child consent policies
GDPR states that children (under the age of 16) cannot give lawful consent because they are not fully aware of the risks of sharing data. If you hold data for individuals under the age of 16, you must be able to prove consent from a parent or guardian.
Step 10 — Offline data
Most of the content of this guide relates to digital data but don’t forget about your paper records and the contents of your filing cabinet.
This information needs to be secure to outside threats but easily accessible to you and/or your Data Protection Officer. If you are asked to delete an individual’s records, you need to do so in a suitable manner depending on the detail of the personal data and how it could be used. For example, medical records must be shredded using a specific-sized shredder and then the disposal of the shredded material also needs to be secure.
SandisonPay can help
Following the steps above will help you on your way to becoming GDPR compliant but if it all seems too much, don’t panic!
Get in touch today and SandisonPay can help you review your current data policies and help you update your marketing processes and procedures.
**Disclaimer** Please note that the advice above reflects actions that SandisonPay is taking to comply with the GDPR regulations and/or activity that we have undertaken on behalf of our clients. We are not lawyers and cannot guarantee that the above advice will be 100% accurate for all businesses. If you have any hesitation or doubts about the requirements for your specific business, please seek legal advice.