Are you ready for the GDPR? Here’s a quick guide to help make sure you are compliant.
✔ Nominate a Data Protection Officer
Since most of us are accessing, processing and manipulating data just by the nature of what we do, you’ll need to designate a Data Protection Officer (DPO) to oversee (data) operations. DPO contact details must be notified to the regulatory authority and published to the public, but they don’t need to be a new hire — you can use an existing employee who takes on the role. Depending on the scope of work and data you have, you may not be required to do this, but it’s probably a good idea nonetheless.
✔ Update your Terms & Conditions
Your legal team will need to review your privacy policy to make sure that the language is clear, easy to understand and in plain language. The days of tiny font size are over — the text should be accessible, transparent and delivered in a friendly format (keep in mind that many people use mobile devices for accessing information so you don’t want them to have to scroll for ages in order to read your conditions).
You will also need to make sure that privacy notices are given at the time that data is obtained from a contact and that it contains all the required information, including:
- What you are going to use their data for
- Who is going to access it
- How you will ensure the protection of any data that is transferred
- How long will you store their data
- How can they contact you should they wish to rectify or delete any data you have
✔ Create new procedures
In order to ensure that you implement the 6 data protection principles (fair and lawful, purpose, adequacy, accuracy, retention, rights), you need to create some new policies and procedures, such as:
- General Data Protection Policy
- Data Subject Access Rights Procedure
- Data Retention Policy
- Data Breach Escalation and Checklist
- Employee Privacy Policy and Notice
- Processing Customer Data Policy
✔ Provide employee training
Employees who handle data must receive training in order to ensure that they handle it in accordance with GDPR. The company should keep a record of training and provide updates and refresher training as needed. It’s very important that resources understand the changes that are to occur, and that they implement them effectively.
✔ Clean the data you have to obtain explicit opt-ins
Existing prospect data you have now will need to be called in order to be compliant because you are not allowed to email the contacts you have in order to be sure they agree to opt-in to receive any new information you want to send them. To be on the safe side, it’s good to obtain double opt-ins (by phone, and then again by email) prompting contacts to click on a link to access your updated terms & conditions and check on a box to provide their consent.
✔ Ensure data security
The days of posting spreadsheets of data in Skype or Dropbox are over. Even emailing data opens the door to potential security breaches, so you have to be sure that you data is housed in one secure location and that has protected access. Security has to cover the risks to individuals if data were lost, stolen or disclosed to unauthorized people.
Security involves both people/processes and technical measures. The following factors should be considered:
- User log-ins
- Encryption
- Ensuring ongoing integrity, confidentiality, availability and resiliency
- Ability to restore in a timely manner
- Processes for testing security
Disclaimer: MediaDev’s advice should not be taken as legal instruction. We suggest that your GDPR compliance process be verified by legal representation as depending on the nature of your business, you may need to implement additional steps.
