How to Prepare Your Business for GDPR
GDPR will put consumers in full control, and businesses will have to comply with the regulations from the 25th May 2018.
If your business is complying fully with the current Data Protection ACT, DPA, then you’re already along the right lines. Many of GDPR’s key principles are almost identical to our current legislation, with a few additional components. So, if you’ve been following the current regulations, as you should be, then your approach will mostly remain valid under GDPR. At least you’ve got a starting point …
But there are new principles that businesses and organisations will have to comply by. A lot may be unfamiliar territory for many businesses so it’s important to prepare now ahead of the big change.
6 Steps to Prepare Your Business for GDPR
1. Look at Your Data
Map where your consumer’s personal data comes from and what you do with it.
Make all employees aware the law is changing to from DPA to GDPR. If you want to prepare your business for GDPR, everybody needs to know about the changes they may need to make in their job role. For example, how will the new regulations effect how sales people contact potential clients?
It’s likely to have a big impact on your business, even more so if you’re a big organisation handling a lot of data, so you may find compliance challenging if you start preparing a few days before the regulations come in to affect.
2. Decide What Data You Need
Under GDPR, your business can’t keep or collect data that has no purpose. For example, if you’re collecting the gender of consumers, is there a reason? Are you using gender data for a specific reason? If your answer is no, you can’t store it for the sake of it.
A lot of the categories of data you may collect, could serve no purpose. If you only target your audience based on their age, for example, then you don’t need to store their gender, interests and so on. GDPR is focusing on a stricter treatment of personal data.
3. Data Breaches
Every organisation has a duty to report certain data breaches to the ICO, and possibly the individuals whose data has been breached.
If you suffer a breach which is probable to risks the rights of your consumers, you must take the appropriate action.
4. Review How Consumers Consent
You might not need to make any changes here, but you should review how you gather, record and manage consent.
Consent needs to be clearly given and not presumed.
By presumed; consent can’t be taken for granted by silence, pre-ticked boxes or inactivity. Consumers need to explicitly consent to the processing of their data, so review your disclosures and privacy statements and make sure they’re clear.
5. Get Your Processes in Place
As I mentioned earlier, every consumer has quite a few rights under GDPR. In case you missed it, or you need a refresher, check out the consumer rights you HAVE to know, “Are You Ready for GDPR?”
You need to have clear procedures for handling data to prepare your business for GDPR.
- – How are you going to get consumers to give consent in a legal manner?
- – How are you going to delete an individual’s data, if requested?
- – How are you going to be able to confirm their data has been deleted across all platforms?
- – How are you going to transfer a consumer’s data, if requested?
- – How are you going to confirm the identity of the person requesting a data transfer?
- – How are you going to inform your consumers in the event of a data breach?
If you can’t answer all the above questions, it’s time to start acting before it’s too late.
6. Designate Data Protection Officers
It’s advisable to have someone who will take responsibility for data protection compliance. This isn’t necessary for every business, but some will be formally required if;
- – You are a public authority (exempting courts with judicial capacity)
- – You carry out regular monitoring on consumers on a big scale
- – You carry out large processing for ‘special’ data; like health records, or criminal convictions.
If you think any of the above my apply to your business, head over to Article 29 Working Party for some guidance.
Dedicate enough time so you can become compliant BEFORE the 25th May. Create a plan, so when the 25th May arrives you’re prepared, relaxed and can easily answer consumer requests regarding your compliance.
Do you Handle Children’s Personal Data?
GDPR will introduce, for the first time, a special protection for children’s personal data. With a focus on ‘commercial internet services’, like social networking.
If you offer an online service that is accessible and used by children, which relies on consent to gather their personal data, you may need to ask for parental / guardian consent for their data to be processed lawfully.
Children can give their own consent, without parental / guardian consent being necessary, if they are 16 years old. But it is possible for the age to be lowered to at least 13 years old in the UK.
Remember, your privacy notice needs to be age appropriate. It needs to be clear, and in plain English so children will understand. Note consent needs to be verifiable, just the same as for consenting adults.
Prepare Your Business for GDPR Now!
Think of GDPR as an opportunity, rather than a challenge.
If you comply with the new regulations (they aren’t optional anyway), you’re transparent, you help your customers to seek the correct information regarding their personal data, then you will build up trust with your customers. Paint your business in the best light – it’s better to follow the rules and show your customers you respect their privacy, then to be slapped with a big fine and handling a lot of angry customers!
About the author:
Marie Harwood is a Digital Marketing Assistant at Different Gravy Digital, Hale, Cheshire.
Different Gravy Digital are a full service Digital Marketing Agency operating in the Hospitality & Leisure, Financial Services, Legal & Property sectors. Products and services range from; 3D & 360° Tours, Website Design & Build, Social Media, Video Production, Search Engine Optimisation (SEO), Content Creation, Email Marketing, Online Feedback / Review Systems and Paid Advertising (Google, Bing and Social Media).
0161 706 0004
120a Ashley Road, Hale, Altrincham, Cheshire, WA14 2UN