We often hear about how GDPR is a burden for businesses.
The negative sides of its implementation, and the stiff penalties for compliance failures. However it is not all doom and gloom as there are a number of benefits which GDPR will bring such as simplifying existing regulations.
GDPR is also forcing many marketing professionals to conduct a much needed cleanse of their databases which means that the data stored about customers is of the highest quality. This in turn leads to more tailored campaigns which ultimately yield higher revenues.
To help you kick start your journey toward compliance we have compiled a list of the 7 crucial steps needed to get GDPR ready.
1. Audit the Information You Have
GDPR isn’t solely concerned with the way in which data is processed, going forward it will also impact the data you currently hold. Therefore it is important to conduct an audit of your company’s data. For any data which is considered to be personally identifiable you should ensure that it was collected, stored and processed in a manner compliant with GDPR.
2. Determine your legal basis for processing customer data
When it comes to the processing of customer data under GDPR one word that continually comes up is ‘consent’. Consent is one lawful basis for processing. However it is not the only basis. There are in fact 6 legal basis under which you can process data. These include;
- Contractual Necessity
- Legal Obligation
- Vital Interests
- Public Interests
- Legitimate Interests
It is therefore necessary for you to review all of your data processing activities and ensure that you have a lawful basis for each. It is important for you to be able to be able to clearly explain why a particular method was selected. This is particularly important when it comes to processing under ‘Legitimate Interests’. Here you must keep a record of the organisation’s assessment of that legitimate interest, to show that the organisation properly considered the rights of data subjects.
You will also have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request.
3. Centralise Data Storage
Organisations should seek to store all data acquired in one centralised location as opposed to separate locations for separate items. This practice helps to increase both the integrity and security of your data. Practical security measures can then be implemented to reduce the risk of an attack from hackers. If you hold data in multiple locations you are increasing the risk as you need to ensure each separate location is secure. This also gives hackers greater opportunity to launch an attack.
4. Keep Your Data Secure
This one goes without saying but ensuring that your data is stored in a secure manner is of paramount importance. From here appropriate measures can be implemented. Basic security procedures such as encryption and password protection should be implemented, if they haven’t been already. Security best practices must also be promoted amongst members of your organization.
5. Implement Individual Accountability
We have said it once and we will say it again, GDPR should not be left in the hands of the compliance department. It is essential that all members of staff are properly informed on the regulation and given the required training to ensure they can effectively implement it.
Strict, automated processes about how long you hold onto this information and when it’s no longer needed should be implemented for employees who work with personal data of any kind.
6. Adopt a Privacy by Design Approach
Privacy by design is a pretty simple concept: It’s essentially a procedural reminder to build user privacy principles into the development of a product or tool. Doing so will help to ensure that customer data is kept as secure as possible and can help mitigate the risk of a potential breach. You can read more on this topic here.
7. Plan for a Potential Breach
As the saying goes, “Failing to plan is planning to fail”. Breaches can and do happen. Even if all the correct steps are taken to prevent a breach, simple human error can cause one. In the case of a personal data breach (link to blog on breaches), it is essential that it is reported to the relevant supervisory authority within 72 hours. Now, to confirm, this means 72 hours from when you become “aware” of the breach not necessarily 72 hours from when it occurs.
If you require any further assistance regarding GDPR compliance or how data can be used to improve your customers’ experience, feel free to contact us today through the contact form below or on +353 1 804 1298.