How are you preparing yourself for the arrival of the GDPR?
To dispense with any concerns you may have in relation to the GDPR, we compiled a list of things you could start focusing on now to ensure that, by 25 May 2018, your company too will be fully GDPR compliant.
- Check various sources so that you understand what the GDPR entails and what you need to do to be compliant. Click here to read some of the comprehensive articles we have published in the past.
- Make sure that everyone in the company is au fait with the GDPR. Responsibility does not lie with one department but is a team effort. You could always organise a workshop to make sure that everyone knows exactly what is expected of them.
- Appoint a key figure who knows the ropes and who is able to assess what needs to be done.
- Check what data you keep on record, for how long, where they came from and whom you share them with.
- Create a database. As of 25 May 2018, you will be bound by an obligation to notify, meaning that any data leaks will have to be reported to the authorities within 72 hours.
Update your documents
Only personal data that are required in the context of the services you provide can be processed. As data cannot be stored indefinitely, we strongly advise you to check important documents, such as agreements, terms of business, privacy policies and suchlike. You may need to amend/update them to be compliant with the Regulation.
The upcoming legislation revolves around consent. As the law is designed to protect citizens, your customers’ consent must be given freely, be specific, informed and unambiguous. In addition, customers must actively consent to their data being stored. This, for one, means that you are no longer allowed to send out forms with pre-checked boxes. When dealing with minors, you will be obliged to seek a parent’s or guardian’s consent.
Spell out things in plain language
One of the main issues that gave rise to the introduction of the GDPR is that people were keen to know what their personal data are used for. They demanded more transparency which is what the new legislation will deliver. Come 25 May 2018, you will have to spell out:
- What you use the data for
- How long you will store them for
- Whether you will be sharing them
- Whether you will be sharing them outside of the EU
What rights do your customers have?
- The right of information and access to their personal data
- The right to have their data rectified
- The right to be forgotten
- The right to object to direct marketing practises, profiling and automated decision-making
- The right to data portability
As of 25 May 2018, requests relating to any of the above will have to be acted on by law. So, make sure to have procedures in place to deal with any such requests.
Should I appoint a Data Protection Officer?
Only government bodies or companies who regularly process personal data on a large scale, like direct marketing companies, are obliged to appoint a DPO. That obligation can be met by appointing an external consultant or a member of staff as privacy prevention adviser.