Well, it’s finally here. Come midnight Thursday, the Y2K of data protection will kick into full swing and business executives across Europe will be waking up on Friday with one burning question on their minds: I hope I didn’t leave anything out!?
That’s right, the EU’s General Data Protection Regulation, aka, the GDPR hits stores this Friday and anybody who runs a business or is responsible for the security of customer and client data from a marketing perspective through to an operations perspective is on notice.
[Read: Personal privacy and security: Why I’m thankful for the GDPR.]
Hopefully, everyone reading this piece is already well aware of what the GDPR is and how it affects their business. If you don’t, I suggest you get yourself up to speed ASAP. The purpose of this ‘last-minute checklist’ isn’t to guide you through each and every GDPR related process, but rather to give you a big picture checklist of the key things that should be done, dusted and ready to go come Friday morning.
So, without further ado, let’s get checking.
1. I’ve got my house in order
The GDPR is all about correctly managing individuals’ private data. So, first things first, your business should have a clear idea of all the different types of personal data it holds, where that data comes from, who has access to that data and how you manage that data end-to-end. Top considerations include:
- Have I confirmed that my business requires a Data Protection Officer? If not, do I know the reasons why my organisation doesn’t need one?
- Do I know where all customer/client data is stored on our company’s system?
- Is that data in a secure, centralised location?
- Do I share personal data with third-parties, if so, who, why and how is that managed?
- Am I only requesting and holding on to data that I actually need, i.e. are my reasons for holding the data legitimate?
- Have I put in place a process whereby data can be deleted quickly and I can prove it?
2. I’ve taken responsibility and I’m in control
The GDPR isn’t about one single department, the burden doesn’t and shouldn’t fall just on IT or Marketing or any other department – it’s shared equally by all. So, before the week is up, make sure everybody in your organisation has taken responsibility for the GDPR and is in control of how it affects their job. Top considerations include:
- Is every employee in my organisation aware of the GDPR and do they have a solid understanding of how it affects their job and business function?
- Have I made our privacy policy, especially those aspects that relate to the processing of personal data easily accessible to both staff and customers?
- Have I put in the right security measures to ensure that the data I have is stored securely?
- Are all my systems up-to-date, including any newly released patches?
- Do I have a clear data breach process in place, in case a breach does occur?
- Have I briefed all my data processors, i.e. any third-party provider that use personal information on my customers provided by me, about the GDPR and is there a contract in place that ensures they’re compliant?
3. I know my rights and more importantly, those of my customers
One of the biggest changes in the GDPR is the protections given to individuals across the EU when it comes to their data. The legislation has codified into it eight individuals’ rights. It’s absolutely crucial that you and everybody in your organisation are aware of these rights. These include:
- The right to be informed: customers and employees alike now have a right to be informed of the details of how their data is collected and how it will be used. You will need to provide information around why you want their data in the first place, how long you intend to use that data for and who you’ll be sharing their data with. Key to this is making sure that the language you use to communicate all of this is easy-to-understand, transparent and easily accessible. Keep it simple and keep it honest. Whatever you do with an individuals’ data, they must always be kept up-to-date.
- The right of access: currently known as a subject access requests, this right ensures that individuals have the right to access all the personal data an organisation holds on them. Unless the requests are exceptionally complicated, organisations will only have one month to comply from the date of when the request was made and organisations can no longer charge a fee for this service.
- The right to rectification: Part and parcel of maintaining an accurate database is making sure individuals can update their information. Under the GDPR, an individual has the right to update their information whenever they like and business have one month to respond to their request
- The right to erasure: also known as ‘the right to be forgotten’, the GDPR allows individuals to have their personal information erased from an organisations database. This right, like many, is not black and white and only applied in certain circumstances. You should make sure you’re aware of when it does and does not apply to your business. If applicable, organisations have one month to respond.
- The right to restrict processing: Once again, this right is not black and white and depends on your particular business and the individuals’ requests, however, the GDPR, in some circumstances, affords individuals the right to restrict the type of data an organisation holds on then. Unlike the right to erasure where information needs to be cleared, with the right to restrict processing, an organisation can still store the personal data so long as it does not use it.
- The right to data portability: This right allows individuals to move, copy or transfer their personal data from one IT environment to another. Organisations need to make sure that they provide this service to individuals free-of-charge and that it is done in an easy to transfer yet secure way.
- The right to object: this right forms probably the most important aspect of the GDPR and that is to give individuals the power to stop firms from collecting and processing their data all-together. Individuals can stop an organisation from sending them direct marketing, as well as tracking and collecting certain information about them. Again, this is not black and white, in some instances, where an organisation has a legitimate reason for collecting and processing data, the organisation can continue to do so. You need to make sure you’re aware of how this right applies to your particular business.
- Rights related to automated decision making including profiling: this right targets profiling and automation specifically. From an automation perspective, an organisation must prove that they are legitimately carrying out automation that has no direct human involvement. Leading into profiling, if this non-human directed automation results in the profiling of a customer, individuals have a right to know what the controls are on these and can also refuse to participate in automated profiling.
4. I’ve asked all individuals whose data I collect for their permission and they are completely aware of how my organisation uses their data.
The GDPR is massive and it’s also new. Like with any piece of legislation, there are sure to be some teething issues, however, one thing you must always remember to do is get consent from your customers, and any other individual whose data you’re using. Individuals need to know and consent to how you plan on using their data. Top considerations include:
- Prior to processing any individuals’ data, I have actively obtained their consent and they have opted-in to every way in which their data will be used.
- My organisation’s terms & conditions, along with our privacy policy are written in easy-to-understand language and are easily accessible by my customers
- I have a process in place where customers can control their data, i.e. a preference centre, and I have made it easy for my customers to withdraw their consent at any point
- Whenever I change my privacy policy, or an internal process that affects my customers’ data, I first conduct a ‘Data Protection Impact Assessment’, aka DIPA and then I obtain consent once again from my customers in regards to any new ways their information might be used.
And finally, a quick disclaimer from everyone at Advantage. Advantage is an ERP, CRM and Managed Services IT firm, not a law firm. The information provided here is for general guidance purposes only. It should not be taken, nor is it intended as, legal advice. Please make sure you conduct your own investigation into the GDPR and where appropriate seek out the advice of a legal professional.
Why not find out more about how Advantage can help your business navigate the GDPR from a technical perspective?
Words by Camilo Lascano Tribin