These actionable steps will help keep your company and processes in compliance with the EU General Data Protection Regulation.
By Liz Lemarchand, MediaDev
Are you ready for the GDPR? Here’s a quick guide to help make sure you are compliant.
✔ Nominate a Data Protection Officer
Since most of us are accessing, processing and manipulating data just by the nature of what we do, you’ll need to designate a Data Protection Officer (DPO) to oversee (data) operations. DPO contact details must be notified to the regulatory authority and published to the public, but they don’t need to be a new hire — you can use an existing employee who takes on the role. Depending on the scope of work and data you have, you may not be required to do this, but it’s probably a good idea nonetheless.
✔ Update your Terms & Conditions
You will also need to make sure that privacy notices are given at the time that data is obtained from a contact and that it contains all the required information, including:
✔ Create new procedures
In order to ensure that you implement the 6 data protection principles (fair and lawful, purpose, adequacy, accuracy, retention, rights), you need to create some new policies and procedures, such as:
✔ Provide employee training
Employees who handle data must receive training in order to ensure that they handle it in accordance with GDPR. The company should keep a record of training and provide updates and refresher trainings as needed. It’s very important that resources understand the changes that are to occur, and that they implement them effectively.
✔ Clean the data you have to obtain explicit opt-ins
Existing prospect data you have now will need to be called in order to be compliant because you are not allowed to email the contacts you have in order to be sure they agree to opt-in to receive any new information you want to send them. To be on the safe side, it’s good to obtain double opt-ins (by phone, and then again by email) prompting contacts to click on a link to access your updated terms & conditions and check on a box to provide their consent.
✔ Ensure data security
The days of posting spreadsheets of data in Skype or Dropbox are over. Even emailing data opens the door to potential security breaches, so you have to be sure that you data is housed in one secure location and that has protected access. Security has to cover the risks to individuals if data were lost, stolen or disclosed to unauthorized people.
Security involves both people/processes and technical measures. The following factors should be considered:
Disclaimer: MediaDev’s advice should not be taken as legal instruction. We suggest that your GDPR compliance process be verified by legal representation as depending on the nature of your business, you may need to implement additional steps.