We’ve written lots about this so far, but just a quick re-cap for those still getting their heads around it all. The first things you should do are:
1.Work out how you use data in your business now and how you think you may want to use it in the longer term.
2. You should then audit what data you are actually holding on individuals.
3. You then need to decide whether or not you actually need to hold the information and for what purpose.
4. Once you have established these points, you need to establish what lawful basis you have for holding this data. The ICO has released an interactive tool to help you to do this.
5. If your lawful basis is consent, you need to check whether you have the correct permission from that individual to use the data for the purpose that you intend. Consent to what individuals are signing up to must be very clear, along with a transparent and easy opt out.
6. If you need to gain consent, particularly for marketing, then now is the time to gain those permissions.
Hopefully, you should be in or getting into the swing of the points above?
The next phase is to establish how as a business you are going to successfully manage this new world. Areas to think about are:
Are you clear on the data permission statements that you need to put in place? These need to be clear and concise telling the individual exactly how you will use their data and what you will be contacting them on in the future.
How will you record the permissions that you have been given and stay on top of the opt outs?
Do you know where all of your data is? Remember this includes physical data in paper form, files etc
How will you store data securely?
How will you destroy data securely?
Is your website up to date on its security checks? Is it secure enough?
Do you have a security back up plan?
Have you revised your privacy notice, made sure that it clearly explains how you're handling personal data and published this on your website?
Have you thought about how you're tracking visitors to your website and how to allow them to opt-out of being tracked?
Are all your staff adequately trained on the new processes within your business? Do they all have enough understanding of GDPR and the implications on the business?
The important thing in all of this is the ‘P’ word. Process. It will take time to settle into a process that both meets the needs of the new regulation and works realistically for you as an organisation. However, the most important thing is that you establish a process and that you involve all of your staff in getting it up and running. You can iron out bumps along the way, but the important thing is to get started.
We’ve written several articles about GDPR, which you can find on our GDPR Hub.
For full information on GDPR, visit the ICO GDPR guide.