GDPR, or to give it its full name the General Data Protection Regulation, will be coming online in May 2018. And this means your business needs to have all its Data Protection ducks in a row by April next year if you are to be compliant.
The good news is that you have 7 months to get ready.
The bad news is that you have 7 months to get ready!
GDPR will change the way you work
Ok, let’s start with being honest. For most small businesses like our own, data protection has probably had less air-time in our offices than the tweets coming out of the White House. Which is pretty shocking when you consider the impact of those tweets on the day to day running of our businesses (zero) compared to the impact of a data breach (disastrous).
Chances are, up to now, you have probably visited the ICO website, completed a questionnaire on your obligations under the Data Protection Act 1998 (DPA) and, if prompted, paid the annual registration fee.
And that was pretty much it.
But change is afoot in the world of Data Protection and if it isn’t already on your radar, and on your meeting agendas, then you will want to read on.
Get GDPR right and you will protect your data, and your reputation
If you are a large, complex organisation, there is a good chance that your preparations for GDPR are well underway. You have probably got an expert working alongside your management team.
A wise move considering the stakes have just gone up. There are some hefty fines for companies that get their data protection practices wrong (£10million+), although you can argue that the impact on a company’s reputation can be far more damaging than the fine.
We also need to be GDPR compliant
At OpsAngel we are process specialists, not data protection specialists. But we are also a small business who needs to be compliant before the reforms are in place. And as compliance basically means being able to follow a process and do the right things, at the right times, we can help. We are going to share with you the steps we are taking right now to get ready.
10 things you can be doing right NOW
While this will be a useful guide for you on the kind of things you could be doing to be prepared, your first step should always be to seek expert advice – every business is different and unique and your data practices may need a tailor made approach to ensure that you are compliant. Get yourself on a GDPR course, visit the ICO website and read all about it or get an expert to do a Data Protection Audit.
Step 1: What data do you have and where is it?
Being able to answer these questions is kind of fundamental to being able to protect the data you have. Mapping out the data flows in your business will help you to capture how data flows in, and out of, your business. And which data you store as a business. You should consider the data that flows to and from your customers, your suppliers, and your employees. There will also be data that is created by your website if you have one, and from other sources such as CCTV. Now you have worked our your data flows you can identify the data that you need to protect and start putting a plan in place.
Step 2: Review your old CRM database
So, one of the things that is going to be a real problem for many businesses is that the data protection reforms won’t just cover the new data you collect, but the data that you have already collected. And for anyone that has an old database of contacts laying around this could cause some problems. The emphasis is on you being able to provide evidence that those on your CRM system gave explicit consent to be contacted in whichever way you are contacting them. That stack of businesses cards in the corner collected over the years could suddenly be very important.
Step 3: Start asking for consent
You might have already noticed this on the networking circuit; people asking what they can do with your details, or asking to take photos of your business card and then handing the original back to you, or people asking you to fill out a form and check some boxes on how you would like to be contacted and stay in touch. Or you may even have heard GDPR being mentioned…you need to be doing the same. Get into the habit now while everyone else is practising and it will become second nature come May next year.
Step 4: Check your contracts
Checking the contracts you have with suppliers might not be an immediately obvious step but nevertheless it is important. This is because suppliers, and for most of us this will probably mean software providers, will need to make sure that their contracts are compliant with the new data protection laws. If you are one of millions of businesses using cloud technology it will also pay to get a little curious; ask where your data is stored and what happens in the case of disaster recovery.
Step 5: Turn on encryption and check your passwords
To be honest, this is something that should be standard practice in your business anyway. If you aren’t in the habit of changing your passwords on a regular basis, and ensuring that your team take care over their passwords, then you have 7 months to form a habit that is fundamental in keeping your data safe. And most devices come with encryption technology that just needs to be turned on.
Step 6: Update your Privacy Notice
Step 7: Design a process for dealing with data requests
One of the provisions of the GDPR is for individuals to be able to ask companies exactly what information they hold on them. While this is going to hit companies with a huge number of customers the hardest (particularly if we all make requests at the same time!) it could also be a time consuming task for owners of smaller businesses. Having a process already in place to deal with a request will go a long way to reducing the time it takes to process and respond to a request, if one happens to come your way.
Step 8: Design a process for dealing with a data breach
OK, so here you need to plan for worst case scenarios. On average it is thought most businesses don’t notice a breach until 6 months after the breach has happened. And even if you are quick to find the breach, as Talktalk has recently found out, trying to minimise the impact on your reputation is another thing altogether. While the ICO will have a clear process on how to report a data breach you will also need an internal process that includes steps to investigate the breach and immediate actions to ensure any future breaches of the same data are prevented.
Step 9: Diarise Data Protection Reviews
Diarising a review point is the easy bit, actually reviewing something when you said you will is quite another. If you are a business that has a lot of data that you need to protect then you may decide that you want to keep data protection on your monthly management team agenda. If your business only handles a small amount of data, you may just want to do an annual review. Remember, the ICO wants you to evidence that you have done everything reasonable to protect the data you have and that you are thinking about it at a strategic level.
Step 10: Train your team
If you want to be compliant, and stay compliant, you need to train your team to understand data protection. They need to understand your data security policies, recognise vulnerabilities, understand the data they are dealing with as they go about their day to day duties and know what to do if they suspect a breach. While most people will tell you data protection is a tech issue, reality is that most data breaches will actually be caused by people who are in a non-technical role.
GDPR is a boardroom issue
It’s worth mentioning that GDPR has a very specific objective in mind; to make data protection a boardroom issue. The ICO has been clear that they want to work with businesses to help them comply with the new legislation but they are looking for evidence that you had data protection very firmly on your agenda and as part of your wider business strategy.
Get the full guide NOW!
Enter your info below and the 10-Step Guide to GDPR will be with you ASAP!