It is time to start planning for the new General Data Protection Regulation (GDPR), which is due to be implemented into national law by 2018. Truro lawyer, Kirsty McAuley of the corporate and commercial team at Coodes Solicitors, gives her top five tips to get your business ready.
- Review how you hold data now
A good starting point is reviewing how you currently hold and manage data. This could be personal information on customers, clients or other contacts. Do you understand how this data is held, who can access it and whether or not it is shared with other companies? Understanding how you currently manage data will be vital to ensuring you make the necessary changes to comply with the new regulation. Build in regular reviews and delete old and unnecessary data.
- Understand the difference between opting in and opting out
Under the GDPR, people will generally need to ‘opt in’ rather than ‘opt out’ of receiving information from you or third parties. At the moment, for example, some businesses invite customers to tick a box (opt out) if they do not want to receive further information and some online forms include pre-ticked boxes, which need to be unticked. This will no longer be possible when the new regulation comes into force. Now is a good time to start looking at how people currently sign up to receive information from your business and incorporate a positive ‘opt in’ procedure.
- Set up processes for managing data breaches
The new regulation sets out stricter terms for how a business needs to respond when sensitive or confidential data is accessed by an unauthorised person – accidentally or otherwise. Under the GDPR, businesses must report any data breaches to the Government body responsible for data protection (the ICO) as well as to the individual affected. It will be far easier to manage any breaches if systems are in place to identify when these occur.
- Work out how to handle data access requests
A key element of the new regulation is that individuals should have the right to access their own data, for free and within a shorter timescale than is currently permitted. It will also allow people to exercise more rights around their data, including an expansion on the right of an individual to be forgotten. Businesses should therefore review how they currently manage any data access requests and consider how they can handle them more quickly and efficiently in the future.
- Get your teams on board
The success of any business in meeting the new requirements will be dependent on people across the business understanding the changes. Your business may be under a requirement to appoint a data protection officer and so it is best to look at this sooner rather than later. Although the exact form of the national law is not yet know, it would be wise to start awareness raising as soon as possible. Consider who the key people are – particularly at a senior level – who will need to have an understanding of the GDPR and work out what information they need. You can then put a training and communications plan in place.