GDPR (European Union’s General Data Protection Regulation) is the biggest shake up of Data protection laws for more than 2 decades – and by gum has it come into force, with fines of up to €20 million or 4% of a corporation’s turnover (whichever is higher).

Whilst the popular story of GDPR is that it allows users to ask what information corporations have on them and to request to be opted out of marketing communications, or indeed for their data to be deleted – GDPR’s underlying principle is for corporations to tighten up their security measures and do more to prevent a data breach.

I received an apology letter from a credit check agency in October last year, over a data breach that had occurred 6 months prior in May 2017, 6 months!… whilst I appreciate in times of making a mistake, all that one can do is apologise, it was annoying that 1) I was meant to simply accept this apology and be fine with the fact, hackers had learnt my most highly sensitive data, 2) that instead of Equifax sorting this – the responsibility apparently lay with me, to take actions to protect myself and 3) why did it take 6 months for the letter to come? The concerning thought is it took them 6 months to realise such a data breach had occurred…

For corporations, the key is to be practical, GDPR like any legislation change, is an opportunity to start putting better security and infrastructure measures in place; whilst creating a barrier to entry for the cowboys who won’t. Every business is different and needs GDPR consultancy on it’s own set up and operations, especially for a business whose shop window is predominantly a smart phone application – where the interdependencies of how user data interacts and what breaks or issues can arise from a user requesting for their data to be deleted; creates its own sets of issues. Taking a common sense approach, starting with the steps below, could help you get there.

Steps to GDPR compliance

First, where is personal data held? (Personal data includes any information that could identify a customer, employee or any other individual for whom you have data). Where did you get it, are you still allowed to use it and who do you share it with? How do you collect information on an ongoing basis and do you have user’s permission to continually use their data in the ways that you do?

Centralising, getting current permission and securing the data you hold is your number one priority.

Next, you need to update your website, app and marketing material, so that it allows users to opt out of marketing activity on areas which require them to fill in personal details (such as contact forms), as well as having an ‘opt out’ and ‘delete information’ option in the settings for users who already have.

To coincide with this, you’ll need to update your Privacy policy so that it sets out what you do with personal information, how you keep this data secure, what you’ll do in the event of a data breach and how users can contact you to ask for it to be corrected or deleted.

Finally, GDPR is not a one off event. A new system is only good if it is abided by and regularly followed. Assign a main point of contact, who’ll be mainly responsible for GDPR compliance within your organisation. Set out how often reviews of your company’s practices take place and lock those dates down to calendar meeting dates, so they are not forgotten about or pushed down the road. Whilst a main point of contact is important to head up GDPR compliancy – it’s imperative you filter down the learnings, so all employees understand the policy, how they should follow the system and how to conduct themselves and their daily activities to ensure GDPR compliance.

Furthermore (and I cannot state the importance of this one enough), as regulators expect you to take responsibility for third parties with which you transact – ensure supplier’s sign new contracts which brings them up to speed on GDPR matters; set out what third parties can and can’t do with the data they are privy too and check that they have their own security measures in place.   

GDPR is a good thing, it’s there to standardise the ‘grey area’ and strengthen the rules on how corporations handle personal data. For corporations – it’s the push a lot of corporations need to identify and prioritise the handling of sensitive data; to identify where any weak links may be and to put in further security measures to lock this down; so that hopefully, letters like the one I received from the credit check agency will be a thing of the past.

From the blog

the latest news, technology & app development insights

Key differences between  Azure and AWS

Key differences between Azure and AWS

Compute power Both Azure and AWS EC2 allow their users to configure virtual machines and specify the amount of processing power and amount of memory, along with the locality of the VM. Azure users can spin up a clean VM, or can optionally provide their own VHD or...

A Brief Enquiry Into The Smart Phone Era We Are Now Living In

A Brief Enquiry Into The Smart Phone Era We Are Now Living In

The smart phone epidemic has rapidly spread throughout our society. Smart phones have become a prominent feature in the everyday work and personal life of the general public, and this is on a constant up rise. This advance in society is due to new technology being...


let’s explore your idea

+44 (0) 1234 414774