The General Data Protection Regulation (GDPR) has become a topical subject as the 25th May 2018 draws closer. GDPR is designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ data privacy and will be the driving force for organizations to look at their approach to data privacy. In order to help you on your GDPR journey, here are 10 Top Tips for getting GDPR ready:
1. Prepare right now!
Raise awareness with your staff so that everyone understands what GDPR is, why it is in place and how it will affect their rights.
2. Find out what data you have
Any data which can be used to identify an individual falls under the GDPR regulation. Equally important is for you to know the location of all data within the scope of the GDPR.
3. Erase data you no longer need
GDPR focuses on data minimization meaning collecting only the data that you need to carry out a function of your business and erasing that data once it is no longer needed. This also applies to data already in the possession of your business.
4. There are no geographical boundaries
If your business collects data in the EU about EU citizens then the GDPR regulation applies.
5. Special requirements
Identifying and preparing for these special GDPR requirements ensures businesses are not fined up to €20 million or 4% of worldwide turnover (whichever is highest) if their privacy policies are not GDPR compliant by May 2018.
6. Marketing activities and ‘unambiguous consent’
As part of the initial contact with individuals, it is important that they understand every aspect of what they are agreeing to when passing on their information. Individuals can also decide not to provide consent, or to remove consent at any time.
7. Build GDPR into your working life
If a business regularly monitors or processes personal data on a large scale by appointing an in-house Data Protection Officer (DPO), and for any business partnering with a company who is GDPR compliant in collecting and analyzing data about individuals will make the transition easier.
8. Update security procedures
Once stakeholders are aware of what GDPR is, and they have a mapped out the data used by the business to carry out its various functions (e.g. legal, IT and marketing).
9. GDPR compliance by design
GDPR is a long-term outlook for companies to regulate the data collected from customers. Getting GDPR compliant by design from the get-go ensures your business is adequately protected.
10. Be prepared for Subject Access Requests
If an individual requests a copy of the information a business holds about them they can send for a Subject Access Request. The information includes whether any personal data is processed, a description of personal data and reason why it is processed and if it will be given to any other organizations or people. In this case, a data subject can ask for their data to be deleted.
GDPR is a comprehensive, modern set of laws that protect the rights and freedoms of data subjects – remember that you are a data subject in this context too! Treat your data subject’s data in the same way you expect your data to be handled.