In this second blog post about the upcoming GDPR (General Data Protection Regulation), we’ve got 5 simple steps you should take now to prepare your business for the upcoming changes.
Getting ahead is the best step you can take. We understand that it may be daunting to make big changes to your business processes, so here are 5 simple steps to take now:
Map your company’s data
It will always be easier to understand how you’re processing your company’s data if you know what it is, where it is and where you’re storing it. Before you take any major steps, the best place to start is to map where all the personal data in your entire business comes from and document where you store it.
This is essential for helping you understand what risks there are – including problems with where it resides, who has access to it and any more factors that pose a threat. The more you know about your data, the better equipped you are to manage it. Spend some time getting to know your systems – it’ll make everything simpler.
Determine what data you need to keep
This is the perfect opportunity to do declutter, and clear out any data you don’t need! Think of it as a spring clean!
You shouldn’t be keeping more data than necessary, as this puts more people and their data at risk than there needs to be. By having a clear out, you’re already reducing the risk of any future damage. You should delete any data that you’re not using.
If your business collects a lot of data that doesn’t really have any real benefits, you won’t be able to do this once GDPR comes into practice. That’s why it will pay in the long run to get into good habits now.
There are several questions you can ask yourself to make the process simpler.
- Why exactly are we archiving this data instead of just deleting it?
- Why are we saving all this data?
- What are we trying to achieve by collecting all these categories of personal information?
- Is the financial gain of deleting this information greater than encrypting it?
Put security measures in place
Data breaches are serious and can really damage your company reputation. You need to do everything you can to avoid a security breach, and follow the right procedures should a breach happen.
First, you should develop and implement data protection safeguards throughout your entire business. This means putting security measures in place to guard against data breaches, as well as being sure you can take quick action to inform the authorities and individuals should one occur.
Second, make sure that your suppliers have the right security measures in place too. You could still be liable under the new laws if your suppliers have a breach. Make sure you work with your supply chain to ensure that you reduce any risk – better still eliminate risk.
Consent is key
You need to review the communication you send to people, and the information you store. Under new GDPR rules, individuals will have to explicitly consent to your business acquiring, processing and storing their data. This means they’ll have to ‘opt in’. You’ll have to communicate the specific detail relating to the use of the data, so that they’re fully informed about what it is being gathered, processed, used and stored for.
You must also ensure that everyone who chooses to opt in has been given sufficient information about your data gathering, processing and storage processes.
You will also need to keep records of who has opted in, what they were told at the time of opting in and have some form of verification of that consent. This will give you an audit trail, which is vital in case of a data breach. You’ll need to review all your policies, privacy statements and disclosures, adapting them where you need to. Pre-checked boxes and implied consent won’t be acceptable any more.
Establish procedures for handling your personal data
With the 8 new basic rights for individuals under GDPR, you’ll need to make sure you’re establishing policies for handling each of these situations. For example, what is your process if an individual wants to their data to be deleted? What is your communication plan in case of a data breach? You’ll need to evaluate all the risks and have measures in place to mitigate them. You’ll also need to consider any questions that could be asked and have the answers. This will help you to keep operations running smoothly, avoid risks and handle any crisis well. While it may seem daunting to have all these procedures in place before the deadline, it can easily be done.