GDPR is here, but a great many businesses are still not entirely sure if they’re ready for the new laws. In reality, the general principles aren’t too complicated, and in the majority of cases, if you understand the spirit of the regulations, then it won’t be overly difficult to stay on the right side of the law. With this in mind, we’re going to go through five questions that you should ask yourself to determine whether or not you’re suitably prepared.
The first step in becoming GDPR compliant is conducting a review of the data that you hold. If this hasn’t been done yet, then it’s a matter of priority. You need to sit down and work out exactly what information you hold about individuals, why you hold this information, and whether it’s all stored together or is disparate. Understanding this will help you decide if you have any major changes to make, or whether you just need to tighten up some processes. You’ll find it much easier to deal with the requirements of GDPR, and indeed all data-related legislation, if you have excellent metadata – that is, data about the data that you’ve got. This will be essential in scenarios where an individual exercises their right to request what information you hold.
Most businesses are now fully aware of their obligations when it comes to keeping individuals’ data safe, so this point shouldn’t be of too much difficulty for most businesses. All data needs to be stored securely both physically and digitally, which means everything from using trusted cloud data providers, to ensuring passwords are kept safe, to keeping rooms where data is stored, locked and monitored. While we’re on this point, it’s important to know that GDPR also introduces a strict requirement for organisations to report any data security breaches in a timely fashion. Here in the UK, that means reporting them to the (ICO) Information Commissioner’s Office.
Whatever your role in the organisation, whether you’re an owner, manager, or you work in IT, you musn’t assume that everyone else knows what GDPR is going to bring. Just because it has such wide-reaching implications, it’s important that everyone in the business has an idea of what the regulations mean. There are two points to this. The first is that everyone needs to know of any new policies that you’ve introduced in order to be able to follow them. The second is that there might be things that you, or other people responsible for implementing GDPR changes, have not thought about. Everyone can have an input. If you’re in a position where lots of people need to understand GDPR, or you yourself feel that you need more information, then it may be wise to seek professional help. Courses are available from Virtual College on this subject Click here to see the courses available. click here to be taken to our course page.
This is probably the biggest potential change for businesses. GDPR insists that organisations must have legal grounds for the collection and processing of an individual’s information. In many cases this will simply be that the information is essential to carrying out the service requested by the individual, who is likely to be a customer. However, if information is not explicitly required to carry out this service, then the organisation will need to seek consent to collect and process the information. This potentially has wide ranging impacts. For example, if an individual purchases an insurance policy, then certain details will be essential to this and naturally collected in order to carry out the service. However, if the insurance company wanted to use, for instance, the individual’s email address for marketing purposes, explicit consent would have to be sought. As a result, you need to establish whether or not you should be collecting consent alongside data, and you need a plan in place to do this.
One of the other changes that might require new processes is that of subject access requests. According to the GDPR, you must now respond in a timely fashion to anyone requesting to know what information you hold about them. Similarly, you must also be in a position to delete this information if requested. This goes back to the first point about understanding the data that you hold. In either scenario, you’ll need to make sure that you have a process in place should anyone make a request. It’s highly unlikely for a great many businesses, but you need to be aware nonetheless.