1. Familiarise yourself with the legislationReading the legislation should be your first step. It will help you gain an idea of what your responsibilities are. It’ll also help you become familiar with what kind of data this legislation aims to protect (i.e. name, address, ID numbers, location, IP address, cookie data, RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, sexual orientation).
2. Do a complete audit on all the data you currently haveYou need a complete data audit if you currently hold data on EU citizens. Find out exactly what you hold; if consent was gathered; how it was processed; where it’s stored; how secure it is; what risk factors there are; and if you actually need all the data. If you find that much of the data is unnecessary for your business operations, consider getting rid of it. If you have a huge mailing list with a significant percentage of inactive users, consider sending out a campaign asking them to opt back in; unsubscribe those users who fail to respond. Think about storage too. Gather all your data assets and store them securely in one place, making it easy for your company to find data and serve requests from customers who are drawing upon their right to access subjector right to be forgotten. However, if you’re unsure now’s the time to get professional advice on developing a GDPR compliant data processing plan
3. Plan for minimal data collectionGoing forward, make it a policy to collect only that data which is essential to your business objectives. You’ll be surprised at how many businesses collect data they don’t need simply because they ‘may’ need it at some point in the future. This kind of unused data can become an unnecessary liability. So identify and focus on what data is actually needed.
4. Update your marketing strategiesBecause of the active consentelement of GDPR, you’ll need to modify both your traditional and digital marketing strategies. Active consentsimply means you can’t assume consent, or use tricks to gain consent (such as pre-ticked boxes) – the consumer needs to actively opt in, and you need to record and store that consent as evidence should you come under ICO investigation. Related: Businesses failing to check third-party GDPR compliance are risking large fines So if you collect data via print material, you may need new print assets; forms will need to make it clear what the data will be used for, with a clear opportunity to opt in. It’s the same for websites that have a data capture strategy in place. You’ll also need to have a plan for storing the gathered consent. This is important because at some point you may need to prove that you’ve acted lawfully. You’ll need stronger cookie notifications that allow users to deny cookies as well as give permission; this may require software solutions that enable users to disable cookies early on and still be able to use your website.
5. Conduct a cybersecurity reviewCyber crime is on the rise and it’s getting very sophisticated year-on-year. So, if you rely on computer networks to store, collect and share data across your organisation, you need a cybersecurity review. The things to ask are: Is the network safe and secure? How easily can it be breached? Are there potentials for data leakage? Are the staff web-savvy? Is the data encrypted? Are devices protected from malware? The aim is to put measures in place that minimise the risk of being breached and of sensitive data getting into the hands of criminals. You may need to invest in better cybersecurity technology and staff-training to make sure members of your team don’t become entry points for malicious activity.
6. Audit third-parties that have been collecting data on your behalfThis is important because you are still liable for this data. It’s your responsibility to ensure that all third-parties are GDPR compliant. So, for example, if you’ve hired a digital agency that manage direct marketing and data management on your behalf, you need to make sure they’re handling the data lawfully.
7. Consider appointing a designated compliance officerIf your company’s big enough you should consider appointing a compliance officer whose sole job is to make sure the entire organisation is adhering to GDPR. This may require significant investment (i.e. training, recruitment and employment costs etc.) However, when you consider that businesses face fines of 3-4% of their annual turnoverfor non-compliance, it may turn out to be a cost effective investment.
ConclusionThe above list is by no means exhaustive. There are many complicated factors to consider when planning for GDPR. So although this article should get you moving in the right direction, it is not a replacement for effective planning and proper legal counsel. Becoming fully compliant requires hard work, careful consideration, and significant investment. But in the long run, it will help you avoid huge fines and reputational damage to your business.
Share this story