For those organisations out there that have yet to review and amend their procedures in line with the GDPR, now is definitely the time. With the law coming into force in May 2018 (yes, this time next year), failure to comply could result in fines of up to €20 million. And just to clarify, the fact Brexit is going ahead will make no difference to the implementation of this law, so that’s not a ‘get out of jail card’ either. So, what should you be doing now to ensure you are best placed for the arrival of the GDPR next year? Well…
Before you dive into amending your current processes, first determine what kind of data you hold. Where has it come from, what information is included within it, who controls it. Basically, the starting point is to identify the who, what, when, where, and why of data your organisation has.
The policy police
The new GDPR gives individuals greater rights and protection for their data, which includes their rights to certain minimum information, access and objection. In addition, they will also be able to rectify, erase, or block their data being used too. So, before this level of protection becomes available, make sure you have the processes in place to handle these requests – and understand how long your processing times will be.
Consent and consequences
Following the implementation of the GDPR, the way individuals opt in to marketing communications will change – and now’s the time to start preparing. From May next year, pre-ticked opt-in boxes will be invalid and people must instead actively choose to opt-in. More importantly, these opt-in messages must be clear, concise, offer separate access to different types of communication, and not be included within other text such as terms and conditions. At this opt-in stage, individuals will also have to be explicitly told which organisation’s marketing communications they are signing up to. And of course, all this information must be collected and stored by your organisation.
The breach bell
Ok, a bell probably won’t cut it, but part of the new GDPR is to raise the alarm in the event of a data breach at your organisation. Importantly, this notification needs to be addressed to your local supervisory authority within 72 hours of your organisation becoming aware of it. Granted, there are strict guidelines which define the parameters of a personal data breach (and not all require the alarm to be raised), but you must make sure you are adequately prepared for any eventuality. With this in mind, start identifying procedures to detect, report and investigate any data breaches which occur.
Under the terms of the new GDPR, data protection will no longer be an afterthought or add-on to the latest tech. Instead, it will now feature front and centre due to the ‘privacy by default and design’ requirements of the law. This means that before your organisation designs new products or develops/changes their operations, you’ll first need to determine what impact it could have on the individual’s privacy. To illustrate your level of commitment to this approach, the new law requires the completion of a Data Protection Impact Assessment (DPIA) prior to any changes. So, if you are currently working on long-term plans for changes within your business, start considering the impact of the upcoming GDPR now.
One of the hot topics following the first draft of the GDRP was the introduction of data protection officers (DPO). These individuals will operate within your organisation to ensure you remain compliant, and will answer only to the business’s senior management team. As an aspect of the original draft which has made it through to the final law, this is something you’ll have to start considering soon. Does your business actually require a DPO? Will you select someone in-house? Will you recruit externally? All of these questions need to be answered and effectively implemented before next May, so if you haven’t already, it’s time to get moving.
If you’d like more information on how the GDPR will affect your lead generation activity, or how you can ensure you’re compliant before next May, speak to us today on 02392 314498 or email email@example.com.