GDPR arrives on 25th May — get your business ready
All businesses should:
- Perform a data audit — GDPR regulators will take a bleak view of any firm that doesn’t protect against unlawful or unauthorised processing, damage, destruction or accidental loss of data.
- Confirm your ‘opt-in’ options — GDPR demands that you have a valid legal basis for processing data.
- Prepare for Subject Access Requests (SARs) and Right to Erasure — SARs allow a customer or former employee to request a copy of the personal information an organisation holds on them (subject to certain exceptions). You need to know what info to provide/withhold and have systems in place to provide a response within one month.
Website owners should:
- Get to grips with data types — under GDPR, data like name/address/location/IP address is classed as ‘personal data’, whereas information like health status/ethnicity/sexual orientation/religious and political beliefs is classified as ‘sensitive personal data’ and given a greater level of protection.
- Understand data rights — whether you’re controlling or processing information, you must protect individual rights like the right to be informed, the right of access, the right to rectification, the right to erasure and so on.
- Audit all electronic systems — trawl web forms, CRMs, email clients and social pixels to determine what data is first and third party, how long it’s stored, what’s the legal basis for processing and who it’s shared with.
- Secure systems — by removing risky redundant data, ensuring all data is processed in GDRP compliant manner, and stopping sharing information with third parties unless you’re assured they’re also compliant.
- Document your new processes and policies — so you can demonstrate that everything you do is above-board.
- Update and publish a GDPR-ready privacy/data protection policy — to transparently confirm what data you collect, why you gather it and how you use it.
- Obtain clear consent — any electronic data should only be processed according to the declared purpose it’s collected for, so you can’t transfer people who’ve filled in a contact form to your mailing list.
For more information on GDPR preparedness, contact us for a chat or take a look at the ICO advice for small organisations. For more useful information, check out these related posts from the Scenicus blog: