Beginning from May 25th, 2018, companies which operate in the European Union have to adhere to the GDPR. Coursedot has a special quick and easy guide to provide the basics of GDPR. This is the 7th part of the series. We take a look at how to prepare for the GDPR. The previous part is here.
But now we get into the important stuff.
Preparing for the GDPR
In October 2017 the Article 29 Working Party published the ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679′ (the official name of the GDPR). These guidelines are for the supervisory bodies to apply and enforce the new Regulation. But companies should also learn them as it will help them to prepare for GDPR better.
How to prepare – first steps
Getting your company ready for the GDPR can become quite the task. It’s easy to be overwhelmed by all of the details you have to take into considerations. So, it’s vital to have a good approach to the whole process. Start by doing your homework on GDPR. You’re already doing this right now with this eBook.
Next, analyze the Regulation in detail and create a strategy which features several steps in the implementation of GDPR in your organization. This strategy has to consider all aspects of the company’s way of work. For example, the methods of marketing, sales and how they obtain data. One way is to ask customers to fill out a form or perform a double opt-in. This means they have to tick a box and then confirm it was them via email activation. As you can see, this is a classic action, used by many companies for a long time now. So, most changes aren’t that drastic.
The strategy also has to take into consideration any changes in the legal documents, Terms & Contitions, Privacy policies, etc. It also has to make room for any technical challenges or upgrades needed. For example, the need to use special GDPR compliance tools, the addition of CRM, the implementation of new sign-in/register pages, etc. All of this will vary for each company’s case.
There are some important changes, too. Companies can’t for example simply get the names and emails of prospective clients at networking events or trade shows and then manually add them to their database. This isn’t allowed under GDPR as there won’t be any digital trace that the individual gave consent. So, even if you get these business cards, you then have to get the digital consent of these people before you use their data.
With that in mind, how to prepare for GDPR?
1. Start with an analysis of what your company is doing right now with customers’ data. Analyze what data you collect, how and for what. Make a map of the whole process of the data journey in your company including how it’s stored, who has access to it, etc. You should also consult with a lawyer or your legal team for any additional GDPR details and measures that need attention.
2. Next, examine what part of this data you actually need. Remove any data which isn’t vital to your business and any data which isn’t used or has expired. A company can be fined for keeping hoards of data without a valid reason.
3. Establish what additional safety measures you need to take. GDPR puts great attention to the security of personal data. It’s best for companies to take all the cyber security measures they can in order to minimize the risk of a breach as much as they can. Also make sure the company has an established process to notify authorities and individuals in the event of a breach within 72 hours of becoming aware of the breach.
4. Review all privacy statements, disclosures and terms and conditions on your services. Make the appropriate updates as per the GDPR. Make note that prechecked boxes, implied consent or silence will not be accepted as consent by the GDPR. Keep these documents regularly updated.
5. Make sure the company has all the needed processes in place for handling personal data. This includes being able to honor request from individuals’ rights stated above in a reasonable amount of time.
Also consider ways to get consent from individuals in a very clear and transparent matter. Make sure the processes for individuals to send request for their personal data handling is also simple and clear. Note how the company will handle the data transfer if requested and make sure that data is interoperable.
Next, have a strategy and a plan in the event of a data breach.
The mindset should be “when”, not “if”.
In some cases, companies will also have to create a Data Protection Officer position. Under the GDPR, companies which handle a certain amount of individuals’ data, have to have a person who makes sure everything with this data is handled properly. This also depends on whether the member state they are based in has such a requirement. It’s also possible to hire a third party to do that for you. A detailed examination of the official GDPR text, along with local law, will help companies understand if they are affected by this requirement.
Finally, but also very important, make sure the company will be able to prove it actually needs this personal data in the event of an inquiry from a data regulation authority.
In the end, while the GDPR does indeed bring a lot of changes, some very severe, to the way companies handle personal data, in the long run, all of this is for good. This Regulation is meant to help companies build more trust with their users. Having this trust and transparency will improve the overall business conditions and should create more quality companies.
These are the basics ou must take into account we preparing for the GDPR. Up next, we wil take a look at some GDPR Tips and Tricks to make implementation easier.