Time is ticking on towards the GDPR deadline of 25th May 2018, and you really should have taken major steps to fully understand the implications that this legislation will have on your business, but if you are still floundering and wondering where to start, here is a quick guide to getting your business ready for GDPR.
- Get Educated
You need to let all your staff and business stakeholders know about what is the GDPR and the impact of the regulations on business. Everyone needs to be GDPR aware and of the practices that you will be introducing to ensure that you are compliant. Breaches of the GDPR must be reported to the Information Commissioner’s Office (ICO) within a 72-hour period of being alerted to them, so it is critical that everyone is knowledgeable about what is expected from them.
- Information Audit
All businesses hold information, but often the amount and detail of the data is stored without further thought. The GDPR requires you to know about the data that you hold so that you can manage it appropriately. Ignorance is no excuse for GDPR breaches and their consequential penalties, so you must register the information that you hold, where its come from, and who you share it with. The GDPR is big on accountability, and you must be able to demonstrate that you have effective policies and procedures in place to protect personal data and remove it on request – and to do that you need to know where it is.
- Privacy Notices
You need to update your current privacy notices (i.e., when you tell people how you intend to use their data) to be compliant with GDPR. You need to also include why you are lawfully collecting and processing their data, how long you will keep it for, and that individuals can complain to the ICO if they think you are using their information illicitly. Use language that is clear and concise so that everyone understands what you are going to do with their data.
- Consent
You should review how you seek, manage and record consent from individuals. This is a very important part of the GDPR, and you must be clear about what is demanded from you. Consent must be:
- Freely given
- Informed
- Unambiguous
This means that consent cannot be assumed from not opting out, inactivity or pre-ticked boxes. Consent must be kept sperate from other terms and conditions and be verifiable!
- Data Protection
The data that you store must be managed in a way that is compliant with the GDPR. This means that you have to take considerable steps to ensure that your policies and procedures, your networks and cloud-based software solutions are secure. You should be able to detect, report and investigate any breaches that occur. A CASB, or cloud access security broker, provides an effective and secure way to protect your data and remain compliant to the demands of GDPR – click here for more information.
On first inspection, the GDPR appears to be complex and confusing; however, once you have adapted and amended your current policies and procedures you will find that it is a great tool for providing your customers and clients with a standard of trust in your business that is internationally recognised.