There is so much talk about the GDPR (General Data Protection Regulations) that come into effect on 25th May 2018, I am setting out my simple approach:
- Appoint a Privacy Lead.
- Make sure you have effective ongoing communications in place – internally with employees and externally with customers/clients and suppliers.
- To meet the requirements of the core principles of the GDPR be open, honest and transparent with your customers/clients about what data you are collecting, as well as why and how you are using that data.
- Ensure you have consent from your customers/clients to process their data.
- Audit your data and update your privacy policies (personnel and customers/clients), as well as identify relevant technology to help fill in the gaps.
- When auditing assess the data you are holding, i.e.,
- What kind of data are you storing?
- Where does the data reside?
- What is the format of the data?
- Can you anonymise the data?
- Is it centralised or does it live on multiple devices?
- Why are you storing the data?
- How did you get the data?
- Do you need to keep storing the data and can it be deleted or changed?
- How do users access the data? Is access encrypted and secured?
- Is the data exposed to third parties?
Remember:
- Personal data is “any information relating to an identified or identifiable natural person”[1].
- Ultimately the increased protection of EU’s citizens and their rights is the end goal of GDPR.
- A main difference between pre- and post- GDPR is that your customers/clients will now have the ability to request their data is completely erased.
- Fines of up to €20 million or 4% of global revenue are a possibility for those who are deemed to be negligent.
- The Data Protection Commission’s “The GDPR and You” is a good preparation tool.
[1] The EU definition of “personal data” is set out in the Data Protection Directive 95/46/EC