GDPR is Coming!
Posted on Wednesday, January 17, 2018 by Adrian Foster — No comments
The General Data Protection Regulation (GDPR), passed by the European Union in April 2016, will have a far-reaching global impact on data security. No matter where you are based, any organisation that does business with, or holds Data on EU citizens must comply with the GDPR's expanded and more stringent Data Protection rules by 25th May 2018.
The legislation has been introduced to give individuals a greater say over how their Data is handled. Individuals will have more rights to be forgotten and there will be increased visibility of Data breaches.
Now is the time to start preparing for GDPR. You must know where, how and why you hold Data on individuals. Non-Compliance could result in a fine of 4% of global annual turnover (or 20 Million Euros if that’s a higher amount).
The far-reaching nature of the GDPR means every aspect of a business will feel its impact.
Here at prosperIS Recruitment Ltd we have already started planning for GDPR and I recently spent some time on an excellent training course.
Consequently, here are 10 tips that could protect your business and ensure you stay GDPR compliant.
1 - Escalate to the top of your Business but make sure EVERYONE is aware
It’s crucial that the board understands the enormity of these potential changes, the resource needed to transform the way the organisation handles personal data, and the risks of not complying.
We also learnt that as well as alerting the people at the head of your business, care should be taken to make sure everyone, especially those who have access to your data, are aware of GDPR. You will be held directly responsible if your employees are still emailing or phoning people when they should not.
2 - Audit your Data
You need to complete an audit of your data. What data do you currently hold, why and where do you store it? You also need to assess accuracy, how long you keep it and whether you can easily react to requests from the people who you hold the Data on. For example, individuals will have “the right to be forgotten” and the “right to object”, which will allow them to object from their details being used, shared or held. Will you be able to respond and provide proof to responses such as this?
You should ensure you are only using the medium to contact clients and candidates that you are authorised to use. You are obligated to only contact an individual using the channel they have opted in to. If a person has only asked to be contacted by post then this is the method you must use; even if you hold their email address.
3 – Understand GDPR
Businesses are going to be impacted by this ruling in different ways so carry out a full assessment of which changes apply to you and the areas which present the greatest risk.
4 - Seek Consent and Don’t Make Assumptions
See consent from people who you hold data on. Using the medium that the individual has consented to, ask people if they would like to remain on your records. One good tip would be to take this as an opportunity to ask if they would like to be kept up-to-date via other forms of communication.
Don’t assume that people are happy for you to hold Data on them if they engage with your business (i.e. they buy something from you). Express permission must still be sought, obtained and kept on file. We learnt that it is not sufficient to merely update your existing terms and conditions.
5 - Appoint a Data Protection Officer
GDPR will mandate some companies, Public Authorities for example, to appoint a Data Protection Officer (DPO). Not all companies will have to do this, however we learnt it will be considered good practice to appoint a Project Manager to oversee our compliance. Part of this person’s role should be to document everything an organisation does to prepare for the GDPR legislation as well as reporting any breaches.
Please be aware that if you carry out large-scale systematic monitoring of individuals (e.g. processing personal data for behavioural advertising) then you MUST appoint a DPO.
6 – Protect your Data
Common sense would dictate that as Data protection rules are soon to be stricter then so should your internal processes. You should take extra precaution to ensure that Data is safeguarded and make sure regular tests take place. Consider what action you would take if the security of your Data was compromised.
7 – Consider Timescales
Consider how long it is reasonable to keep Data. Over the course of time, some users will become inactive or unresponsive. Establish sensible retention periods so you can keep your Data accurate and your databases responsive. Moreover, in the event of a Data breach, you will hold less Data so the consequences will not be so far-reaching.
8 – Speak to the people you hold Data on
Make sure you clearly communicate to people what data you are capturing and why.
9 – Encourage good practice in your Suppliers.
GDPR will affect every business so speak to your suppliers and ask what steps they are taking to comply. Any good business should be able to tell you the steps they are taking and they should see it as an opportunity to demonstrate good practice. prosperIS Recruitment will be happy to explain to any Client how we are going to comply.
10 – See it as Opportunity
Personal data is increasingly at the heart of a modern organisation’s operations, and this is an excellent time to make sure the level of protection in place is fit for the new digital era. Moreover we see this as an opportunity to reconnect with candidates, clients and other contacts. We will be happy to explain how we are going to make sure we comply.
Now for the legal bit - I am not a Legal Expert so this information is provided in good faith and is not to be relied upon from a legal perspective. Contact me if you require legal expertise and I will point you in the right direction (in full accordance with GDPR legislation of course).