Kirsty McAuley, corporate and commercial lawyer at Coodes Solicitors, gives her top 5 tips to get your business ready for the new General Data Protection Regulation (GDPR), which is due to be implemented into national law by 2018.
- Review how you hold data now
A good starting point is reviewing how you currently hold and manage data. This could be personal information on customers, clients or other contacts. Do you understand how this data is held, who can access it and whether or not it is shared with other companies? Understanding how you currently manage data will be vital to ensuring you make the necessary changes to comply with the new regulation. Build in regular reviews and delete old and unnecessary data.
- Understand the difference between opting in and opting out
Under the GDPR, people will generally need to ‘opt in’ rather than ‘opt out’ of receiving information from you or third parties. At the moment, for example, some businesses invite customers to tick a box (opt out) if they do not want to receive further information and some online forms include pre-ticked boxes, which need to be unticked. This will no longer be possible when the new regulation comes into force. Now is a good time to start looking at how people currently sign up to receive information from your business and incorporate a positive ‘opt in’ procedure.
- Set up processes for managing data breaches
The new regulation sets out stricter terms for how a business needs to respond when sensitive or confidential data is accessed by an unauthorised person – accidentally or otherwise. Under the GDPR, businesses must report any data breaches to the Government body responsible for data protection (the ICO) as well as to the individual affected. It will be far easier to manage any breaches if systems are in place to identify when these occur.
- Work out how to handle data access requests
A key element of the new regulation is that individuals should have the right to access their own data, for free and within a shorter timescale than is currently permitted. It will also allow people to exercise more rights around their data, including an expansion on the right of an individual to be forgotten. Businesses should therefore review how they currently manage any data access requests and consider how they can handle them more quickly and efficiently in the future.
- Get your teams on board
The success of any business in meeting the new requirements will be dependent on people across the business understanding the changes. Your business may be under a requirement to appoint a data protection officer and so it is best to look at this sooner rather than later. Although the exact form of the national law is not yet know, it would be wise to start awareness raising as soon as possible. Consider who the key people are – particularly at a senior level – who will need to have an understanding of the GDPR and work out what information they need. You can then put a training and communications plan in place.
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
In addition to marketing teams, this conference will ensure representatives from across the public and private sector including: C Suite (CEO, CIO, CTO, CMO), Heads of Legal, HR & Finance Teams:
- Understand the implications of the General Data Protection Regulation
- Get to grips with new obligations and ensure their organization is compliant
- Start preparing for and Implementing the General Data Protection Regulation
- Gain invaluable instruction and insight on the General Data Protection Regulation
- Learn how to avoid heavy fines and loss of reputation
- Discover if they need to appoint a Data Protection Officer
Further information and conference details are available at www.gdprsummit.london