The GDPR is introduced on May 25th 2018, placing the control of consumer data back to the consumer. Over the years, personal data has grown in significant value, with The Economist even stating it is the ‘world’s most valuable resource’ behind that of oil. Every person who surfs online leaves a digital footprint, featuring information on the websites you visit, the places you have traveled, products you buy or even those abandoned in your cart. This data is then collected and used to target those consumers with personalised ads.
This gives an opportunity for all businesses to carry out a quality audit on their own business to get rid of bad practices and inappropriate procedures.
What you need to know
- If your organisation is a public authority or body, or you deal with sensitive data on a large scale, or data processing is core to your operations involving “regular and systematic monitoring”, then you will need to hire a data protection officer (DPO). The DPO must be independent and should report directly to senior management. Tip: create an information protection unit (IPU) where legal experts and information security specialists from the IT department can work together.
- Help the DPO run an “information asset audit”. In other words, map your data to determine which department is getting access to which data and for what purpose. Ensure good communication between the IPU and all internal functions, especially IT and marketing. Try to see the DPO as a figure who enables an organisation to function, rather than as just a compliance officer. The DPO can help you adopt “privacy-by-design” principles at the time of developing new applications and services relevant to your customers.
- Once you have completed the data asset audit, the DPO will help you find the appropriate “legal basis” for processing in each case, and adapt procedures accordingly. Run “data protection impact assessments” every time data processing is considered highly risky.
- Be careful with the way you seek permission to process someone’s data. Let the IPU revise your “notice and consent” forms. Explain in simple terms to customers what data you are collecting and how you are using that information. Give people an easy way to opt in to their data being collected and stored, and check the accuracy of their information. And remember to exercise their rights: access, rectification, erasure, restriction of processing and right to object. Find ways that allow people to access their data in digital form under “data portability” rights.
- Let the IPU revise your internal and external information management and security procedures. You need to be sure that your IT providers – such as those offering cloud services – are GDPR compliant, and that high information security standards are adopted all along your data supply chain.
- Revise data transfer and sharing agreements. Use “binding corporate rules” when appropriate. If you operate in various EU countries, make sure you know who your lead data protection authority is; you can ask for help on this from the independent data protection advisory board, the Article 29 Working Party.
- Train your employees to handle data appropriately. From customer support service, to HR staff, up to the strategic intelligence unit, all employees must understand some basic lessons about information security and data subject rights contained in GDPR.
- Keep a log of all the decisions you take and be ready to explain and provide evidence of full compliance at any time. Be prepared for the day after your organisation has suffered a data breach. You will have 72 hours before being required to notify the data protection authority and the media. Remember that GDPR is about managing risks and fostering an accountability culture; if correctly implemented, it will help you protect your reputation and your precious information.
- Remember GDPR is not a choice between privacy or innovation: it’s about privacy and innovation. See it as an opportunity to stop storing data for future use and to better understand what data you need to retain. GDPR is an opportunity to reduce the risk of being the victim of a data scandal caused by poor privacy practices.
- Foster dialogue within your sector to identify best practices and set new standards. Ask your data protection authority for advice and let your IPU learn from others and share their achievements and concerns. GDPR promotes the creation of codes of conduct and certification programs. GDPR is about improving industry standards – you are definitely not alone.
GDPR isn’t something organisations should fear as the clock ticks down to May 25. Take the right steps to build on your existing data-processing frameworks – the rest should be easy.