The GDPR is a hot topic right now. Companies all over the EU are looking for more information to ensure their company is fully compliant by the time the law goes into effect in May 2018.
So, what exactly is the GDPR? And what does it mean for your business?
Read on for a simple, no-nonsense look at the impending changes, and find out what your business needs to do to stay on the right side of the law.
What is GDPR?
GDPR, or General Data Protection Regulation, is a law designed to protect individuals from data theft and protect the privacy of personal data. It aims to give individuals more control over how their personal data is used and protected. To do this, GDPR outlines new regulations on how companies can collect, store and use customer data.
That might sound overwhelming but at its core, GDPR is designed to protect users and companies from having data stolen. That’s a really good thing.
And the penalties for not complying with GDPR can be pretty severe: up to 20,000,000 euros or 4% of your total worldwide annual turnover, whichever is higher. But don’t worry, we’re here to walk you through the GDPR and prepare for the changes it’ll bring.
Here’s what you’ll need to change once GDPR comes into effect.
1. Communicating with your customers
One of the biggest changes under GDPR is the information your business will need to provide customers about the customer data you collect and use. The idea is that customers must know what data you’re collecting, what you’re using it for, who else will have access, and (when possible) how long you’ll be storing it.
You’ll need to communicate these things clearly. That means burying this information in your website’s terms and conditions will be a violation of the law.
What this means for you:
You’ll probably need to add a feature to your website that automatically informs customers their data is being collected. It’s also a good idea to rewrite your terms and conditions to comply with GDPR.
Customers will need to opt in if you want to use their data, and they can choose to opt out at any time. Under the GDPR, you’ll be responsible for proving your customers gave this informed consent.
Customers can also legally request to see, edit, or delete the data you’ve collected about them. You’ll need to provide a way for customers to do this easily. The goal is to give customers as much control as possible over their information.
What this means for you:
Because customers can opt out, your customer marketing databases will likely shrink. With a smaller email list, marketing more efficiently and effectively becomes even more important, to make the best use of the customer leads you have.
You’ll also need to integrate your back-end systems, so you can easily edit and remove customers’ data as they request it.
3. Privacy by design
According to GDPR, companies should consider “data protection by design and by default.” This means you’ll need to think about data protection and privacy from the start and build it into your customer data collection and storage mechanisms.
The law also requires technical steps to protect user data, including data minimisation and pseudonymisation.
Data minimisation means you collect and process the minimum amount of data necessary for a specific purpose and keep it only as long as you need it for that purpose. In other words, you don’t collect someone’s family history when all you need is an email address. The point of data minimisation is to reduce the risk of private data being stolen.
Pseudonymisation means making the data you’ve collected anonymous by replacing identifying fields with pseudonyms. The identifying information can be kept in a separate, secure system. This way, if a security breach occurs, the data released during the breach will not contain sensitive identifying information about your customers.
What this means for you:
Chances are that your current data processing systems are not up to GDPR standards, and you will have to upgrade or change them. You also need to ensure any companies you work with who handle your customer data are also GDPR compliant.
4. Reporting security breaches
Despite your best intentions, accidents can still happen. If a security breach does occur, you will be required to notify the supervisory authority of the GDPR within 72 hours and tell them the nature of the breach, what information was stolen, and how many people were affected.
What this means for you:
Make sure you know who to report security breaches to and what information you need to provide about the breach in advance, so you can notify them within the legal time frame. The supervisory authority will vary depending on the country your business operates in.
So what now? 4 Practical steps
1. Data Audit
The first step to preparing for the GDPR is to conduct a comprehensive audit of your current website and data practices. An audit will help you identify your weak points and correct them in time for May 2018. In your audit you’ll want to look for weak links, like:
- Are you using any third party data processors? Are they compliant with the GDPR?
- What data do you have stored? Do you still need it?
- How is your data currently stored?
- How did you collect this data? Did you have permission to collect it, in compliance with the GDPR?
- Are your data systems properly integrated?
Looking at every aspect of how you use and store your data will help you put processes in place to meet GDPR rules. (And don’t panic! We can help set-up a data audit if you’d like support.)
2. GDPR Compliance Training
You’ll need to train any employees who handle customer data, so they know how to process and store data in line with the GDPR. This includes anyone who has access to customer data, not just supervisors or upper-management. Start acting on this now, so everyone in your business is ready to go, knowledgeable and compliant, from May.
3. Appoint a Data Protection Officer
The law requires you to appoint a “Data Protection Officer,” (DPO) who can be an employee of your company or an outside contractor. The DPO will be (or become!) an expert in data protection, and can advise your company and employees on internal compliance with the GDPR. This person will be the point of contact between your company and the supervisory authority (who’s in charge of compliance with the GDPR).
The DPO can be one of your current employees, as long as there’s no conflict of interest between their job and the responsibilities of the DPO. It’s a good idea to choose and train your DPO soon, so that they are ready to step in when the law comes into effect. And again, if you need support here please do get in touch.
4. Employee Awareness and Training
"Quite often, breaches occur due to employees actions. One of the requirements of the GDPR is to ensure that each employee is aware of GDPR and how their actions can lead to the organisation being fined. Organisations must take steps to reduce their liability and one of the ways is by effective training and awareness." says Yasmine Lupin, from lcate.co.uk, a London based training company that specialises in GDPR training & guidance for companies in the UK.
Disclaimer: this article is a general guide to understanding & implementing the basic aspects of GDPR. We advise that you speak to a GDPR specialist, who can give you the necessary guidance to make sure both your business and website are GDPR compliant.