t’s now just weeks until GDPR comes into force but only a quarter of businesses (Gov.uk) had, until recently, actually started preparing. If you haven’t, don’t worry – the steps in this blog will help get things kicked off.
STEP 1 – Decide who owns GDPR
Assign ownership to a responsible employee who ensures everything is done. Find someone with the capacity, knowledge and authority for the job and make sure they have access to all the information, training and resources they need. Also make sure you reference them in your data protection policy.
“Employing a GDPR champion is critical as not only will they guide others through the appropriate process to ensure compliance, but this will also increase employee engagement which is another benefit for your SME. With the ever changing business landscape, it is important that organisations to show that they are really interested and dedicated in employee engagement by adopting various practices and methods that emphasise employee involvement in daily decision making and action. From a human resource management perspective, the organised and co-ordinated effort from the GDPR champion to guide others will result in not only a pro-active approach to GDPR, but increased employee engagement.” – Dr. Alexandros Psychogios, Professor of International Human Resource Management
STEP 2 – Understand the rules
Make sure you know exactly what GDPR is and how it is likely to affect your business. There’s been lots of debate about how it impacts different businesses which makes matters confusing! Just remember it includes ALL personal data – employees’, customers’ and prospects’. Here’s a handy guide on the rules.
STEP 3 – Conduct an audit
Don’t delay – audit what personal information you currently hold, where and how you store it, and what you use it for. This is crucial in seeing how you’re affected and what you need to do to be fully compliant. Remember, it’s not just about what you’re using people’s data for, but also whether you can easily and quickly show them what you hold and fulfil their right to be forgotten if requested.
STEP 4 – Review your processes
With the audit completed, you’ll have a good idea of the gaps in your armour. Now decide what processes and new systems are needed. These vital ingredients ensure that you’re meeting the standards and could prove so to the ICO. This may include your data collection and consent processes, your ability to provide data records to people upon request, and also how you’ll spot and report breaches to the ICO.
“From 25th May 2018, companies will be responsible for the secure storage of their customers personal data. One of the biggest challenges facing marketers, will be the adoption of new communication strategies when contacting prospective customers. This is due to the GDPR requirements for companies to acquire explicit consent from prospects, in order for them to receive direct marketing communications.
Existing customers can be communicated with, as long as the organisation informs them of their GDPR compliance.” – Emma Neale, Senior Lecturer in Marketing
STEP 5 – Communicate!
Say what you’re doing to comply. Employees need to know how GDPR will affect their day to day work. They also need to understand how your privacy notice affects their work. People whose personal data you hold should also be told why you’re holding it and what you do with it, as well as how long you keep the data for.
Start your compliance journey today!
If you haven’t started preparing for GDPR’s implementation on May 25th 2018, make today the day you start working towards it. For more details check out the ICO’s official guide to preparing for GDPR.