GDPR (General Data Protection Regulation) has been widely reported recently, but our experience indicates that a significant proportion of businesses are currently unaware of the changes, or do not have a plan in place for compliance.
As part of our GDPR series, we've prepared a list of the key things to look for and put in place now in order to help you comply. This has been outlined below, and on other GDPR insights providing an overview of the best (compliant) data collection methods.
GDPR - What to do now
To help ensure you comply, our recommendation would be to start soon - key steps to take now include:
Make your team aware
GDPR has received a lot of coverage (particularly in the marketing press), but this does not mean that everyone is aware of the changes. Make sure you raise the topic with your team to ensure they know about both the risks… and the opportunities.
Review your contracts to see which ones would need to be amended
GDPR will require suppliers and customers to review supply chains and current contracts, so renegotiations may be required. Equally, commercial terms will inevitably have to be revisited given the increased costs of compliance and higher risks of non-compliance.
Identify your data flow
An important step towards compliance is to review your organisation’s data flow. This will allow you to identify the location, access and ownership of your data; whilst classifying the type of data your organisation holds.
Key questions that every organisation should address include:
- What ‘personal’ data is being processed?
- Are existing processing methods compliant?
- Where is data being held and how does it flow through the organisation?
- Are there adequate controls in place surrounding movement and storage?
- Who in the organisation owns the data?
- Who can access the data?
- Who, if anyone, is it being shared with, both internally and externally?
Revisit your data sharing protocols
Most organisations carry out some form of data sharing, typically between either group organisations or with external third parties. However, if the data being shared is 'personal data', additional steps will need to be taken to ensure that individuals are provided with all the relevant information (relating to how the data is shared) at the right time.
Clear out your data
Once you've assessed your data flows and protocols, make sure you clear out any personal data which is no longer required. The less personal data you hold, the easier compliance will be (just make sure you record which data was removed and why!).
Update your data collection methods
Finally and at a very basic level, look to update your data collection methods. Remember, any changes should ensure that the individual is informed (e.g. is aware of who, when, how and what the personal data is intended for), that consent has been freely given, and that it is a result of positive opt-in (e.g. no pre-ticked boxes or default options have been used).
What should I do next?
See our other insights with an overview of the best (compliant) data collection methods or get in touch to see how we can help. To make sure you receive our newsletters, please sign-up using the form below.