GDPR – and we’re off!

The GDPR rocket has launched. We are now in a world where we are much more in control of our personal data.

It’s up to us to agree if we are contacted by an organisation and we call the shots on what about.  With our business owner hats on, although this initial change may feel like a struggle, we will all be in a place where the data we hold on people is actually useful to us. They want us to contact them with information about our products, services or simply our knowledge, opinions and expertise.  Our databases will be meaningful, useful – gold dust.


This new world, where we all know where we stand, should make communication much much better.  We as business owners need to work harder at ensuring we are using our databases to the best of our ability. Working harder to use the information we have been granted permission to use to plan better, develop faster and communicate more meaningful content.  As consumers, we will be demanding a better service in return for the pearls that are our data.  


So, moving on to the operational side of GDPR. As an a business, you should now be mostly organised in terms of what data you are holding hold on your customers and why, along with the appropriate permissions.  You should have, or at least be very close to having, a process and system for managing this data. Everyone who is involved in the handling, collection and indeed destruction of data should be fully trained in your processes and systems.


In the midst of all this, have you had the chance to think about the systems which process and hold the data? The kit at the coalface of the information? This will, in many cases be your website and/or accompanying business information systems, and the data will be transactional, opinion based or for the purpose of marketing. But the million-dollar question is, are they secure? Under the GDPR regulation, you must show that you have taken measures in ensuring that the systems you use to store data are secure. Specifically, the regulations states that you must maintain a level of security that is appropriate to the risk.


Focusing on your website, At the most basic level, you should be think through:

  1. Does your hosting provider apply and timely security updates?  Once a security alert is issued by a software company, you must act very quickly to make the relevant updates, otherwise you are leaving your website vulnerable and open to immediate attack.
  2. Do you have a process for handling the security of personal data during periods of development or support?
  3. Are private data files properly and adequately secured?  Do they have the correct access control?
  4. Is the server where your website is hosted properly managed in terms of security?  
  5. Do you have a back up plan?  None of us want to imagine that something will go wrong, but it could, and it does. Are you clear on what to do if your site does go down, what happens? How will you protect any data held on individuals? How will you recover your business? You’ll need to work back to when you last had an uncorrupted version of your website – can your hosting company do this? Are they competent and capable in terms of disaster recovery? Every second counts.


Lots to think about in this new world.  At first like most change, it will feel painful.  However, one thing is for sure, businesses will be driven by meaningful data which can only be a good thing for us all.


We’ve written several articles about GDPR, which you can find on our GDPR Hub.

For full information on GDPR, visit the ICO GDPR guide.

May 2018