6 key requirements for GDPR compliance
Posted on by Katie Hook
Estimated read time: 6 mins
As the compliance deadline for the EU’s new General Data Protection Regulation (GDPR) fast approaches, it appears that some businesses don’t yet feel ready. In fact, Experian research conducted in 2016 found that only 7% of businesses were ‘very prepared’, 48% said they were ‘somewhat ready’, and over 25% were ‘not very’ or ‘not at all’ prepared for the new rules.1
If your business falls into one of the categories above, then don’t worry because we’re about to break down the six key requirements you need to know to help you become compliant when the May deadline comes around.
1) Rights of Individuals
At the very heart of the GDPR is the theme of keeping individuals’ rights and interests front of mind at all times. It’s worth noting that the regulation doesn’t just apply to individual consumers, but to any individual whose personal data is held by an organisation – whether that’s in a consumer or business context.
Under the new regulation your customers will have the following rights:
a) The right to be informed (see below for more information)
b) The right of access
c) The right to rectification
d) The right to erase (see below for more information)
e) The right to restrict processing
f) The right to data portability
g) The right to object
h) Rights in relation to automated decision making and profiling
For more information on the GDPR’s Rights of Individuals you can visit the ICO (Information Commissioner’s Office) website.
2) Right to be Informed
You must let customers know how their information will be processed and what it will be used for. This may mean updating your consent wording and privacy policies to make sure that you are being completely transparent.
It’s worth looking at your existing customers and the process you originally used to gain consent to use their data. If they weren’t fully informed and asked for consent in a GDPR compliant way, then you may need to contact them again to gain permission to use their data.
3) Right to Erasure (or ‘Right to be Forgotten’)
Individuals will now have the right to request that their data is deleted where there isn’t a compelling reason for it to remain. It’s important to note that this doesn’t give people an absolute right to be forgotten, but does make this possible under certain circumstances.
Equally, there will be some instances where you may refuse this request. That is, when personal data has been processed for one of the following reasons:
• To exercise the right of freedom of expression and information
• To comply with a legal obligation for the performance of a public interest task or exercise of official authority
• For public health purposes in the public interest
• Archiving purposes in the public interest, scientific research, historical research or statistical purposes
• The exercise or defence of legal claims2
4) Data Protection Officer (DPO)
The GDPR is making it a requirement that a Data Protection Officer be appointed under certain circumstances, for example, if you are carrying out large scale processing of special categories of data or data relating to criminal convictions or offences. Public authorities will also have to appoint a DPO.
Of course, you may still appoint a DPO even if you’re not required to and this may be something to consider, to ensure that you have the resources and skills to manage your other GDPR obligations.
5) Obligations on Data Processors
The 25th May 2018 GDPR deadline sees those responsible for processing personal data being given new responsibilities. They are being asked to take measures to ensure the security of any personal data that they process or store.
These Data Processors will now also be held legally accountable for these responsibilities outside of any contractual obligations.
6) Data Protection Impact Assessment (DPIA)
DPIA’s are a tool which the GDPR promotes so that businesses can effectively assess and comply with their own data protection obligations. They allow you to identify and resolve any issues that may lead to non-compliance and the resulting costs and reputational damage that may ensue.
You are required to conduct a DPIA where the processing of data is likely to result in a high risk to the rights and freedoms of individuals.
Those who decide to embrace the changes and focus on what is right for the customer, will find many opportunities to thrive in the new GDPR world, for example:
• Working with better quality data
• Providing valued, consented communications
• Tailored messages to your target audience
• Improved consumer trust through transparency
As with any big changes that new regulations such as the GDPR can bring about, there may be feelings of resistance or the temptation to just ignore it. But it’s important to remember that these requirements have been introduced to help you to put your customers at the heart of your business. And that can only be a good thing.
For more information on the GDPR and the opportunities it can present to your business, download our free guide ‘Defining the data powered future’ today.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice and this blog should not be considered as such.
- Experian / Data IQ , General Data Protection Regulation – Identifying its impact on marketers and the consumer’s moment of truth, 2016