With all the scaremongering online, it’s a wonder anyone takes any steps towards GDPR compliance. If you believed the image that most IT security outlets are painting, we’d forgive you for thinking all executives and IT departments are just sitting around screaming.
What’s lost in translation online is that the GDPR is an inherently good thing. It protects customers while giving businesses the opportunity to better use their data. We’re not denying that it’s important. We’re not denying that businesses need to do something about it. But there’s no need to frighten people.
Fear can paralyse us when presented with a seemingly insurmountable job. But it’s better to get something done than to do nothing at all. Businesses need to move towards compliance before the May 2018 deadline, so start making moves before the dance is over.
Here’s seven things you can do today to prepare for GDPR.
1. Ensure internal GDPR awareness
Everyone who handles data in your business needs to know about the GDPR. It’s important that all employees handling data know that a change is coming, and that it may affect their work. After all, the regulation will affect everyone, from entry-level staffers to owner/managers.
2. Carry out a consent audit
You should conduct an audit into how you seek, obtain and record consent. Under the GDPR you must obtain consent and a positive opt-in from customers for marketing communications, and this consent must be unambiguous and specific. Also, for the consent to count, you must inform the data subjects about how you intend to use their information.
As a result, to prepare for the GDPR, you must document your opt-in and opt-out guidelines. If you do, proving compliance as the regulation comes into force will be much simpler.
3. Appoint a data protection officer
Under Article 37 of the GDPR, certain organisations need a data protection officer (DPO). This applies to any company processing data requiring ‘regular and systematic monitoring of data subjects on a large scale’. The term ‘large scale’ is quite vague, so be sure to do your research and find out whether you should appoint a data protection officer.
4. Check your legal basis for holding data
Consider what data processes you perform and check the legal basis for the use of personal data. Consent is an important first step, but it is not the only legal basis for storing data under the GDPR. When you store data, identify your legal basis for storing it and document it. This will help ensure compliance with all data subjects you have information about.
5. Have a data breach plan ready
Under the GDPR, if there is a data breach you will have to inform the relevant authorities within 72 hours. This rule applies where the breach is likely to result in ‘a risk to the rights and freedoms of natural persons.’ If you don’t tell them within this window, you’d better have a good excuse. If you don’t, penalties may apply. So, don’t delay, organise a plan for data breaches today and save yourself some future pain.
6. Prepare data privacy impact statements
Businesses need formal Data Privacy Impact Assessments (DPIAs) when using new technologies and for data deemed ‘high risk’ to the rights and freedoms of individuals. Establishing a risk assessment framework is a good way of managing data privacy and ensuring compliance. The Information Commissioner’s Office has some guidance on how to help your company do this.
7. Get in touch with a technology provider
Sometimes, it’s best to just leave things to the experts. GDPR compliance can be a big job. if you think you need a hand don’t be afraid to ask for help. If you do, you can stop worrying and get back to doing what you do best.
A head-start prevents nasty surprises
GDPR compliance may seem overwhelming at first, but you can do it with a head-start. With appropriate planning, you can reassure your customers that you are protecting their data. Don’t let the GDPR sneak up on you, start preparing today and avoid any nasty surprises.