It's been thrown around for well over a year now, and whilst you might feel it doesn't apply to your business, it most certainly does. GDPR is a new EU regulation, which is intended to strengthen and align data protection for individuals within the EU. Despite Brexit, the legislation will become law and is enforceable from 25th May 2018.
Whether you're a one-man designer operating out of your spare bedroom or a global business with over 10,000 members of staff, the same rules apply. The ICO (Information Commissioner's Office - a supervisory authority contracted to enforce the regulation) are clear about regulating businesses of all sizes and fines could reach 20 million euros or 4% of your annual turnover, whichever is greater. So, if you are found to not be GDPR-compliant, it's a costly mistake best avoided.
If you're still in the dark about GDPR, here are 6-steps to start becoming GDPR-compliant:
Personal data audit
Carry out a full audit of any personal data you hold, which may include clients, partners, suppliers, and employees.
Ensure the data you're holding remains relevant and outline the reasons for doing so. If you no longer have a purpose for the data, then it must be deleted. Perhaps you still hold CVs for unsuccessful candidates? Those CVs are no longer relevant and as part of GDPR must be deleted too.
Documenting storage sources
Review and document how data within your business is stored. Do you have a CRM system, keep business cards in a drawer or save personal files to a cloud account? Ensure you have a list of each and every storage source. Also, who within the business has access to these files because it's important to review the access rights within your organisation to ensure that only the people who need the data have access.
The latest Global Forensic Data Analytics Survey from EY revealed that just 33% of businesses had a plan in place to comply with GDPR
Consent is essential
All individuals within your database must consent to you holding their information. For example, if you've previously purchased or acquired an email list without the users' permission, then you must ensure they provide consent for any future communications. In this instance, an email prior to 25th May is recommended. To avoid this moving forwards, create an opt-in as soon as possible, however, no response from the new opt in can not be taken as a yes and their details must be removed.
Network & server security
Whilst you may already have stringent security to protect your company's computer networks and servers, this fundamentally must be re-addressed. A number of the world's most recognisable organizations; Sony, eBay and Uber to name a few have all fallen foul of sloppy security measures and the fines brought against them would cripple most businesses, and yours is no different. Contact a local IT company as they'll likely be well-versed in this field now and have processes in place to make it as smooth as possible.
Update policy terms
New consent terms and policy documents must be written to ensure your business lawfully states its data processing procedures. This may include how you intend to store data and for what duration. It should also include details on procedures for request subject access to the data being stored and erasing of that data.
At first glance, GDPR may seem like an overwhelming annoyance, which requires plenty of input and planning. Following the above steps will help breakdown the process and make it more manageable.
We will be releasing further guides in the coming weeks and would like to hear your thoughts on what aspects of GDPR you'd like us to cover.