Something called “GDPR” has been in your peripheral vision for some time. You meant to take a closer look, but with so many other priorities to manage, it got pushed to the bottom of your list. This is the time to take action.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It brings in new and enhanced rights for individuals, designed to give them a greater say in what happens to their data. For organisations who control or process that data, it means new rules to follow.
The upshot for businesses (both B2B and B2C), schools, clinics and voluntary organisations? – if you handle or store the personal data of EU citizens, GDPR demands your attention and action.
If all of this sounds a little daunting, then fear not. This guide is designed to highlight the specific areas you should look at as a priority and to point you in the right direction for further information.
Draw up a data map
GDPR concerns “personal data”. To establish what steps you’ll need to take to comply with the new law, you need to get a clear view of the personal data under your control. You need to find out what data you hold, what it’s for, where it came from, its purpose and who has access to it.
Done in the right way, a data map can help you see at-a-glance how data works within your organisation, helping you to quickly spot the specific changes you’ll need to make. Read our guide to data mapping to put together your own version.
Check that you are processing data “lawfully”
This is an early priority. For each data processing activity your organisation carries out, you should make sure it’s allowed under the new rules. In other words, for each activity, you need to identify a “lawful basis”.
As an illustration, let’s say you collect customers’ addresses and pass them on to your courier for delivery. The lawful basis for this activity is connected with your duty to comply with your contractual obligations to customers.
Your professional body requires you to collect certain information from your clients (e.g. for anti-money laundering purposes). Here, the processing activity is necessary for you to comply with your legal obligations (another lawful basis under the rules).
In other situations (sending out email newsletters to customers, for instance), you’ll need to rely on consent. And for some activities – such as putting together personalised offers for customers – legitimate interest could be the appropriate lawful basis to apply.
Accurately assessing the appropriate legal basis for all of your data processing activities isn’t always easy – especially for those who are unfamiliar with data protection. To help you with this, The Privacy Compliance Hub features a complete methodology and a range of templates designed to help you cover each area of your business thoroughly. It’s especially useful at this late stage where time is of the essence.
Marketing communications: update your contact list
Generally, for email and many other promotional campaigns, you need to rely on the legal basis of data subject consent. If you don’t have consent – or if that consent falls short of the requirements set out under GDPR, you should cease processing the data of those individuals whose consent is absent. Right now, you should consider the following:
- For marketing, what constitutes valid consent?
- Which customers have provided this consent?
- Can I demonstrate that proper consent has been supplied?
To help you further with this, read our guides to marketing and B2B communications.
Update your privacy notices
As a quick recap, you’ve mapped the flow of data through your business. You’ve identified all personal data processing activities you conduct – and you’ve identified the lawful basis for each activity.
Now, you need to ensure that your GDPR transparency obligations are met. The law requires you to provide data subjects with a clear and thorough explanation of why you need to process their data and what you intend to do with it. As such, your privacy notices will likely need updating. Our dedicated guide explains what needs to be included.
Prepare for incoming subject access requests
As publicity surrounding GDPR increases over the coming days and weeks, don’t be surprised to see an increase in the number of messages from customers, ex-employees and other individuals whose data you have processed in the past.
These could be in the form of general subject access requests – or else specific requests relating to the new rules on “data portability” and the “right to be forgotten”.
- Right now. Make sure your people are trained to spot such requests (e.g. via email or even social media). Failure to respond fully within a month places you in breach of the rules.
- Longer term. Think about introducing a self-service element to your customer platform. Ideally, this will enable customers to see for themselves what data you hold on them, meaning that fewer resources are needed to respond to individual requests.
Other areas to cover right now
For activities such as shipping and payroll, if other companies or bodies process personal data on your behalf, you need to have a contract in place with the processor. GDPR sets out what this Data Processing Agreement should contain.
More widely, in areas such as security breach recording and privacy impact assessments for new data processing activities, the new law brings in a host of data governance requirements to get on top of.
If this seems like an awful lot to cover all in one go, then here are a couple of tips for you. First off, browse our resource centre for a more detailed overview of all things GDPR-related. At the same time, request a demo or get in touch with The Privacy Compliance Hub for a chat. We have everything you need to help you stay on top of your obligations right now and in the future.