t’s now just weeks until GDPR comes into force but only a quarter of businesses (Gov.uk) had, until recently, actually started preparing. If you haven’t, don’t worry – the steps in this blog will help get things kicked off.

STEP 1 – Decide who owns GDPR

Assign ownership to a responsible employee who ensures everything is done. Find someone with the capacity, knowledge and authority for the job and make sure they have access to all the information, training and resources they need. Also make sure you reference them in your data protection policy.

“Employing a GDPR champion is critical as not only will they guide others through the appropriate process to ensure compliance, but this will also increase employee engagement which is another benefit for your SME. With the ever changing business landscape, it is important that organisations to show that they are really interested and dedicated in employee engagement by adopting various practices and methods that emphasise employee involvement in daily decision making and action. From a human resource management perspective, the organised and co-ordinated effort from the GDPR champion to guide others will result in not only a pro-active approach to GDPR, but increased employee engagement.” – Dr. Alexandros Psychogios, Professor of International Human Resource Management

STEP 2 – Understand the rules

Make sure you know exactly what GDPR is and how it is likely to affect your business. There’s been lots of debate about how it impacts different businesses which makes matters confusing! Just remember it includes ALL personal data – employees’, customers’ and prospects’. Here’s a handy guide on the rules.

STEP 3 – Conduct an audit

Don’t delay – audit what personal information you currently hold, where and how you store it, and what you use it for. This is crucial in seeing how you’re affected and what you need to do to be fully compliant. Remember, it’s not just about what you’re using people’s data for, but also whether you can easily and quickly show them what you hold and fulfil their right to be forgotten if requested.

STEP 4 – Review your processes

With the audit completed, you’ll have a good idea of the gaps in your armour. Now decide what processes and new systems are needed. These vital ingredients ensure that you’re meeting the standards and could prove so to the ICO. This may include your data collection and consent processes, your ability to provide data records to people upon request, and also how you’ll spot and report breaches to the ICO.

“From 25th May 2018, companies will be responsible for the secure storage of their customers personal data. One of the biggest challenges facing marketers, will be the adoption of new communication strategies when contacting prospective customers. This is due to the GDPR requirements for companies to acquire explicit consent from prospects, in order for them to receive direct marketing communications.

Existing customers can be communicated with, as long as the organisation informs them of their GDPR compliance.” – Emma Neale, Senior Lecturer in Marketing

STEP 5 – Communicate!

Say what you’re doing to comply. Employees need to know how GDPR will affect their day to day work. They also need to understand how your privacy notice affects their work. People whose personal data you hold should also be told why you’re holding it and what you do with it, as well as how long you keep the data for.

“As a new type of digital privacy regulation, GDPR acts as a protector for processing personal data working in the interests of individuals. Marketing communications is a vital part of GDPR, and importantly GDPR impacts on your approaches to marketing communications. First of all, think about how you manage customer communication and personal data. You must communicate this clearly and in easy to understand terms and conditions. Practically, think about updating your website privacy policy to communicate this clearly. The biggest change GDPR will bring to marketers is the need for explicit consent, which means that you will need to actively seek permission confirming they want to be contacted via their details. This means a pre-ticked box for automatic opt-ins, which has become common practise, is no longer acceptable.” – Dr. Hui Wang, Senior Lecturer in Marketing

Start your compliance journey today!

 If you haven’t started preparing for GDPR’s implementation on May 25th 2018, make today the day you start working towards it.  For more details check out the ICO’s official guide to preparing for GDPR.