GDPR – it’s REALLY not as scary as it sounds
GDPR – it’s not as scary as it sounds
There’s been a lot of noise around the subject of GDPR and it’s certainly true that for some businesses it will cause a fair amount of disruption but for the majority of firms, it really doesn’t have to be the trauma that some are describing.
In this piece, we’ll look at the central themes of GDPR and give you some practical steps to take now to make sure you’re in the best shape possible for implementation.
So what is GDPR?
Unless you’ve been living under a rock you can’t have failed to hear the acronym but you may not be totally sure what is involved.
The General Data Protection Regulation is a European initiative to update the data protection landscape to make it fit for purpose in the 21st century.
It’s not entirely unreasonable given the vast changes in the collection, processing and movement of data in today’s world and when you consider that the very first iPhone was launched only 10 years ago it’s fair to say that regular updates are likely to become part of business life.
Although GDPR is an EU initiative it would be wrong to think that it will be cancelled or delayed by Brexit. The government have confirmed that the UK version, the UK Data Protection Bill will indeed become law on 25th May 2018 so there really is no escape.
Given that we’re not going to be able to avoid the regulations it seems sensible to begin to plan effectively and early to ensure that business is in the very best shape to cope.
The first step is to understand and analyse what personal data your company collects and holds. To help we’ll be publishing a handy GDPR questionnaire that will guide you through this but the starting point is to look at all the places that you collect, process and store information. Think in terms of data that is identifiable with an individual.
Later, you’ll need to analyse what you collect, how you process it, who has access and how and when you transfer data elsewhere in the world but for now it’s a good starting point to simply understand all the points that your organisation touches information about people.
One of the central tenets of GDPR is that there must be a purpose for collecting all of this information. Put simply it’s not enough to collect data just because you may need it at some unspecified time in the future for some unspecified reason.
What you need to do is to identify your purpose for collecting information in the first place.
To use an example if we imagine a florist collecting customers addresses. The business has a reasonable need to collect and hold addresses for the purpose of delivering goods or complying with their credit card provider’s rules.
However, it can’t be a blanket rule. The same florist doesn’t have a reason to take address information from a customer who pays cash and takes the flowers away with them.
For your business, you need to understand the purpose of collecting information. Indeed for many businesses there may be many reasons why they collect data at different points in the relationship with a customer.
A further theme running through the regulations is that of consent. We’ve all seen tickboxes on websites that tell us they’ll be collecting data about us. From 2018 onwards it won’t be enough to assume consent, the customer must give active consent to their data being held by the business.
Businesses will be required to be able to prove that they obtained consent by keeping adequate records and will have to go back to existing customers and make sure that they are also fully informed about what the company intends to collect and hold.
The basic aim is that of protection for the consumer and the fourth major theme is that of access to data held about you.
Companies will need to ensure that they have adequate systems and procedures in place to effectively deal with requests from consumers (known as subject access requests) and that they can be carried out in a timely manner and accurately.
The final major theme is that of disaster recovery.
The business needs to ensure that it has a realistic plan to deal with any data breach incident that occurs. This will involve remedying the initial breach, ensuring that it cannot happen again and being able to inform potential subjects of the breach that their information may be compromised.
These then are the major themes that cover the GDPR process.