There is less than a year to go until the General Data Protection Regulation becomes law. In the lead up to 25 May 2018, your business should be working towards compliance and understanding how the law will affect you.
Here are the four most commonly asked GDPR questions - and their answers.
1. Why should you care about the GDPR?
The GDPR is one of the most significant changes to EU privacy in the last 20 years. It affects any organisation that provides goods and services to EU citizens.
Replacing the Data Protection Act, the GDPR is a regulatory framework with much greater scope, ultimately strengthening and harmonising data protection laws within the EU. Some of the changes include:
- Right to access. Customers can ask whether you are holding data on them. If you are, they can also ask why and where you are storing it.
- Right to be forgotten. This entitles the data subject to have you delete their personal data. You must also cease circulation of the data and have third parties halt processing of the data.
- Data portability. This is the right of a data subject to receive the personal data concerning them in a ‘commonly used and machine-readable format’. They have the right to transmit this data to another organisation
- Penalties. If your organisation is non-compliant you will suffer fines of either €20 million or 4 percent of annual global turnover, whichever is greater.
- Breach notification. Organisations must inform the ICO of any data breach within 72 hours.
2. What should you do about GDPR?
Most companies will have security policies in place. If yours doesn’t, you should start working on them to protect your business.
You must protect all devices, including those owned by employees. If there is a security breach and your data is compromised, the responsibility lies with you - even if it was a staff member who caused the breach.
Furthermore, the GDPR requires businesses to gain a positive ‘opt-in’ from your customers. This means you must gain explicit confirmation from customers that you can market to them using their data. You should think about re-writing your guidelines for opting in and out of your data pool. Make sure they’re clear and written in a way that your customers will understand.
3. How can I become GDPR compliant?
If you haven’t already, you should start your journey towards compliance as soon as possible. Your business needs to be more transparent about the ways you store, transfer and discard data.
A data audit is a good place to start. This will help you keep track of your data, while deleting any irrelevant, duplicate and corrupted records. Another great way to move towards GDPR compliance is to move your data to the cloud, as it is a safe environment.
4. How much effort will GDPR compliance require?
In short, not as much as you’d think. Many people have been lauding GDPR compliance as a massive, impossibly complex job. This doesn’t have to be the case.
If you’re using third-party cloud-based services, like those offered by Microsoft, you’re probably most of the way towards compliance. However, this isn’t a miracle solution. Even with the best equipment and software, human error can still cause a data breach. Make sure your employees know what they are doing.
Software can get you most of the way, but it’s up to you to fill the gaps.
Get in touch to find out more about becoming GDPR compliant. Or give us a call on 01625 837800.