GDPR (European Union’s General Data Protection Regulation) is the biggest shake up of Data protection laws for more than 2 decades – and by gum has it come into force, with fines of up to €20 million or 4% of a corporation’s turnover (whichever is higher).
Whilst the popular story of GDPR is that it allows users to ask what information corporations have on them and to request to be opted out of marketing communications, or indeed for their data to be deleted – GDPR’s underlying principle is for corporations to tighten up their security measures and do more to prevent a data breach.
I received an apology letter from a credit check agency in October last year, over a data breach that had occurred 6 months prior in May 2017, 6 months!… whilst I appreciate in times of making a mistake, all that one can do is apologise, it was annoying that 1) I was meant to simply accept this apology and be fine with the fact, hackers had learnt my most highly sensitive data, 2) that instead of Equifax sorting this – the responsibility apparently lay with me, to take actions to protect myself and 3) why did it take 6 months for the letter to come? The concerning thought is it took them 6 months to realise such a data breach had occurred…
For corporations, the key is to be practical, GDPR like any legislation change, is an opportunity to start putting better security and infrastructure measures in place; whilst creating a barrier to entry for the cowboys who won’t. Every business is different and needs GDPR consultancy on it’s own set up and operations, especially for a business whose shop window is predominantly a smart phone application – where the interdependencies of how user data interacts and what breaks or issues can arise from a user requesting for their data to be deleted; creates its own sets of issues. Taking a common sense approach, starting with the steps below, could help you get there.
Steps to GDPR compliance
First, where is personal data held? (Personal data includes any information that could identify a customer, employee or any other individual for whom you have data). Where did you get it, are you still allowed to use it and who do you share it with? How do you collect information on an ongoing basis and do you have user’s permission to continually use their data in the ways that you do?
Centralising, getting current permission and securing the data you hold is your number one priority.
Next, you need to update your website, app and marketing material, so that it allows users to opt out of marketing activity on areas which require them to fill in personal details (such as contact forms), as well as having an ‘opt out’ and ‘delete information’ option in the settings for users who already have.
Finally, GDPR is not a one off event. A new system is only good if it is abided by and regularly followed. Assign a main point of contact, who’ll be mainly responsible for GDPR compliance within your organisation. Set out how often reviews of your company’s practices take place and lock those dates down to calendar meeting dates, so they are not forgotten about or pushed down the road. Whilst a main point of contact is important to head up GDPR compliancy – it’s imperative you filter down the learnings, so all employees understand the policy, how they should follow the system and how to conduct themselves and their daily activities to ensure GDPR compliance.
Furthermore (and I cannot state the importance of this one enough), as regulators expect you to take responsibility for third parties with which you transact – ensure supplier’s sign new contracts which brings them up to speed on GDPR matters; set out what third parties can and can’t do with the data they are privy too and check that they have their own security measures in place.
GDPR is a good thing, it’s there to standardise the ‘grey area’ and strengthen the rules on how corporations handle personal data. For corporations – it’s the push a lot of corporations need to identify and prioritise the handling of sensitive data; to identify where any weak links may be and to put in further security measures to lock this down; so that hopefully, letters like the one I received from the credit check agency will be a thing of the past.