5 tips to get your business ready for GDPR
On 25th May 2018, there will be a fundamental change to the way that all businesses process and are able to move personal data. Having been approved by the EU Parliament on 14th April 2016, the General Data Protection Regulation (GDPR) is being described by many as the biggest change to data privacy in the last 20 years! If you're thinking that Brexit will make a difference to your business not having to acknowledge GDPR, you're mistaken. Any UK business that holds or processes personal data will be affected.
The penalties for holding data that isn't compliant with GDPR regulations are substantial, fines can be issued of up to €20 million or 4% of a business’s annual worldwide turnover - whichever is greater. With that in mind here are 5 tips to help your business get ready for GDPR.
It's never too early to start preparing
With 2017 drawing to a close May 2018 isn't far away, especially considering that for some businesses there may be a great deal of work needed to make sure all data held is compliant. It's best to start preparing now.
Make all staff aware of the upcoming changes in your organisation. GDPR is not only a concern for your marketing or IT department, everyone will be affected to some extent. Encouraging staff to share this information in your organisation along with useful resources will speed up the onboarding process.
Create or update your data management strategy
It will be necessary to assess how your data is being obtained, stored and how you're recording consent. The next step is to look at the types of data processing your carry out and assess your legal basis for carrying it out.
For further information on creating a data management strategy TDWI is a great resource.
Is your data easily accessible?
Making sure your data is easily accessible and retrievable is vital. New regulations will mean that clients and customers can request for businesses to destroy their data, demand to know where they got their contact information from and seek proof of consented use. All of this must be provided within 30 days of the request being made.
Regardless of whether your servers are offline due to a natural disaster or human error this information must be provided, disaster recovery services from companies such as Sungard AS ensure that data is accessible even during a catastrophe. It may sound extreme now but being prepared will save time and potentially money in the future.
Document everything!
If you aren't already, it's time to start keeping records of all personal data that your company holds. It's a good idea to also hold a record of where it came from and whom it's been shared with.
To make sure your data is being held compliant with GDPR regulations it's advisable to regularly conduct information audits.
Make sure everyone knows and understands the special requirements
GDPR has some special requirements that must be adhered to, it's important that all your employees are fully aware of what these are. As previously mentioned, failure to do so can incur hefty fines.
For example, dependant on the type of organisation you operate you may need to appoint a Data Protection Officer if one isn't already in place.