5 ways to know if you’re ready for the GDPR
Posted on by Katie Hook
Estimated read time: 5 mins
From May 25th 2018, any organisation who holds and processes personal data for individuals in the EU will be required to comply with the General Data Protection Regulation (GDPR).
One of GDPR’s key purposes is to protect the rights of individuals when it comes to their data and to drive an ethos in all businesses to put their customers’ interests at the heart of everything they do. Those who fall short will face penalties of up to €20 million or 4% of annual turnover (whichever is greater). This is a steep increase when compared with the maximum fine of £500,000 that can be imposed under the existing Data Protection Act 1998 (DPA). This drive towards greater accountability reflects the increased emphasis now being placed on data protection and the recognition that now, more than ever, data is a key currency in any business and consequently, businesses must earn consumers’ trust if they want to continue using it.
With that in mind, how can you be sure that you are fully prepared for the GDPR and the new expectations it brings? Your answers to the following five questions could be a good indicator.
1) Do you know what personal data you hold?
In order to protect the personal data that you process, organisations need to firstly understand what personal data they hold. As part of this process, you might want to consider creating classifications for all the data you process so that you are able to easily identify both personal and sensitive data, treating it accordingly.
2) Do you know where personal data is processed and kept?
Identifying the points where personal data enters your business is important. For example, these might be call centres, landing pages or sign up forms. Documenting the flow of personal data through your business so that you always know where the data is held will help ensure that you identify potential risks and keep it secure.
3) Do you know the purposes you process personal data for?
Organisations must only use personal data for purposes that are fair and lawful and should not collect or hold personal data that is unnecessary or irrelevant for those purposes. Consider checking your processes to ensure you’re not asking for unnecessary details and that you’re not using those details for any other purposes than those you collected them for and which the individual expects.
4) Are you telling your customers all of the above?
Transparency is a core part of the GDPR’s requirements. Organisations must make sure that individuals whose personal data they are collecting and processing understand the purposes that it will be processed for. You may need to consider updating your privacy policies as well as call centre scripts, website copy, email content and so on to ensure that it is GDPR compliant.
5) Are you prepared for a personal data breach?
Should your customers’ or employees’ personal data be lost or stolen, do you have a plan in place that would enable you to: firstly, record all the details of the breach efficiently and secondly, communicate what has happened – should you be required to do so. In circumstances where you do need to notify the affected individuals, have you considered taking steps to help ensure that they are fully supported?
These questions will give you valuable insight into your readiness for the GDPR, but it’s also important to look at your overall readiness and, post May to re-assess compliance regularly. The GDPR itself encourages (and in some cases requires) that businesses conduct Data Protection Impact Assessments (DPIA’s) which will help you to identify potential privacy risks at an early stage so that these can be managed or removed.
Our Experian B2B Prospector service is here to support you keeping your data cleansed and up-to-date. If you’d like more information, then just give us a call on 0870 012 1111 and one of our team will be happy to help.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice and this blog should not be considered as such.