The General Data Protection Regulation (GDPR) comes into force in May 2018. This new European Commission regulation aims to standardise and improve data protection across EU member states by requiring companies to comply with strict procedures and standards regarding the data they hold and the way in which it is managed.
Although the UK will cease to be part of the EU post-Brexit, this does not mean that the GDPR will not be important to UK-based companies. Compliance with the GDPR is essential for all companies that do business within the EU, not just those with an EU base. The Data Protection Bill, published in September 2017, will incorporate the requirements of the GDPR into UK domestic law with some small variations.
Data protection is of increasing importance, and the homogenisation of regulations is even more crucial as international and globalised cooperation becomes the norm. Ensuring that your company complies with these policies is not only a legal necessity, it’s also an important step in promoting customer trust. As with many aspects of customer relationship management, data protection requires transparency and positive action on behalf of your company.
Checklist for getting your business GDPR-ready:
There are several steps that you need to take now in order to ensure that your business complies with these new regulations and to make the transition as smooth as possible for you and your clients. The following checklist has been drawn from that created by the UK Information Commissioner’s Office.
It goes without saying that the first step in preparing your company for this transition is to ensure that the correct people are aware of the changes that are happening. It is crucial for decision makers and key players to consider the changes which may need to take place and how they will impact their responsibilities. The larger your organisation, the more implications there may be when it comes down to ensuring a smooth transition.
2. Information held
Consider what information your company holds and where this is held. In order to comply with this regulation you will need to have a clear record of the customer information in your possession. The GDPR provides more rights for companies with which data is shared, and if data you have shared with a company is subsequently found to be inaccurate, you will be required to inform that company.
Accountability for the information you hold and the way in which it is processed requires clear procedures and policies regarding the handling and storage of personal data across your organisation.
3. Review privacy notice
In order to create transparency and promote customer trust, this regulation requires you to ensure that your customers are aware of how their information will be processed and used. It is imperative that your company review the privacy notices and clauses that are shared with customers, updating them in accordance with any changes which must be made for GDPR compliance.
4. Compliance with rights of individuals
One of the main goals of the GDPR is to enhance the rights of individuals with respect to the information that is held about them. Creating a homogenised system ensures that individuals are able to rely on these rights across different jurisdictions. Your company must make sure that key players and decision makers are aware of the enhanced individual rights afforded by the GDPR and be prepared to uphold these rights.
- Crucial factors that may require changes in your data processing include:
- The right to erasure. A subject can request that their details be removed from your systems, essentially to be ‘forgotten’.
The right to data portability. This gives individuals the right to request a copy of data held on them not only for themselves, but also in order to pass this data to another organisation. This has implications for the format in which data is provided.
5. Subject access
Consider the implications of the altered subject access rules. Your company must respond within a month, so it is important that your procedures are prepared to cope with this timeframe.
6. Lawful basis
Your organisation must be aware of the lawful basis on which they process information. Whether that is, for example, through consent or through contractual necessity will affect the way in which personal data can be processed or used. Identifying the lawful basis for the use of data will help you to promote and guarantee accountability.
7. Managing consent
Consent must be explicitly sought and given in order for it to be valid. The consent given must be specific and unambiguous. This allows your customers to feel confident in the knowledge that the information they give you will only be used in the ways that they have been informed. This transparency breeds trust and customer satisfaction.
The GDPR places particular emphasis on the proper use of data of minors. If your company holds data of this type it’s important to take extra care that your procedures comply fully with the new regulations. Factors which may need consideration include the obtention of consent from parents or guardians for the use of personal data, and that the language employed in communications is easily understandable. The default age of digital consent according to the GDPR is 16, however this is not universally applicable. In the UK the Data Protection Bill requires that a guardian’s consent be obtained if the subject is under the age of 13.
9. Breach procedures
All companies subject to the GDPR should have appropriate procedures and protocols in place to help identify and deal with any personal data breach. These procedures should include directions on who needs to be informed and on how to act should a breach result in a risk to the rights or freedoms of individuals.
10. Privacy by design and impact assessments
Privacy Impact Assessments may well already be part of your company’s regular procedures, as commonly accepted good practice. The GDPR formalises this as a requirement, requiring ‘Data Protection Impact Assessments’ (DPIAs) to be undertaken in certain circumstances. Decision makers should be familiar with these circumstances and procedures should be put in place for the proper conduction and documentation of these assessments.
11. Data Protection Officers (DPOs)
Under the GDPR your company may be explicitly required to appoint a DPO. This individual may be externally or internally appointed but must be given the correct knowledge, resources, tools to take responsibility for data protection compliance within the company. Even if your company does not fall into a category that requires a DPO, appointing someone to ensure that the GDPR is followed appropriately will help your company to promote the proper processing of personal data.
12. Cross-border elements
If your company operates in more than one EU country then it is important to identify your ‘main establishment’ or central base of operations and therefore the main governing authority that you will be answerable to. As this is an EC regulation, the GDPR will be implemented slightly differently from member state to member state, therefore it is crucial to be aware of the specific implementation that applies to your company.
By following the above checklist you can be confident that your business complies with the regulation, and as such is providing the highest standards of data protection for your clients. Increasing awareness of issues of data protection and privacy is crucial within organisations that handle customer data. Clearly defined procedures and parameters allow your team to operate with confidence in a competitive marketplace. A visible commitment to this regulation, clearly set out in understandable language, will also increase client trust in your business by providing transparency.