GDPR can be a little daunting, especially to small businesses that don’t have the resource to analyse and implement a compliant procedure. There is so much information out there it’s hard to define what needs to happen.
However, the main concepts and principles of the current data protection act don’t differ too greatly to the new law, therefore if you’ve already got a comprehensive procedure in place that’s a great starting point you’ll need to enhance some elements and change a few points along the way. In particular the new law has greater emphasis on the data controller’s documentation and the individual’s rights.
Here are our 5 top tips:
Ensure that you communicate within your business about the impending change to the law. Having input from key stakeholders within the business can help to identify risk of compliance. If you have a team working together from different areas of the business then you’re likely to uncover any problems quickly.
Ensure you designate a Data Protection Officer if you carry out large scale systematic monitoring of individuals and large scale processing of special categories of data or data relating to criminal convictions and offences. The role of the DPO is to implement procedure, be accountable for the processing of data, to monitor compliance of GDPR and data law and be the first point of contact to supervisory authorities and the individuals whose data you process. However, allocating a GDPR project manager will be very beneficial in reaching compliance if you are a small business and you do not carry out any of the above.
Some aspects of GDPR will have more of an impact on businesses than others so with a team of key personnel you’ll be able to highlight which parts will have the biggest impact and then prioritise your planning.
Take a step back
Yep! It’s time to take that famous step back to audit and document the personal data you currently hold, this includes customer data but also employee data and why and how you process it. You must ensure that the data is correct, in date and relevant. If you have any incorrect data this needs to be rectified and documented. This is also proof for the GDPR’s accountability principle, you must be able to show your path to compliance which brings me to the next tip……….
Create policies and procedures
If you have policies and procedures or not, you’ll either have to create from scratch or adapt what you have to ensure you’ve taken on the new changes in the law. If you have all the relevant documentation for your data processing you’ll be able to prove your compliance quickly and easily.
I’m sure you already gain consent to record and process data but you’ll need to review your messaging and ensure the following:
- Be granular, clear and specific
- Make sure the message is prominent and not hidden or in small type
- Include a positive opt in – the individual needs to physically tick or sign to give consent
- Properly documented
- The ability to easily withdraw
Clarity is King!
You must be transparent in your privacy notices about what data is held, how it is used and for how long it will be held for. Clearly state the above and make sure it’s easily accessible to the individual so they fully understand how their data is stored and processed.
You need to include the following:
- Your lawful intention for processing the data and how it might be shared
- How long you will retain the data
- The individuals rights: to complain to the ICO, to request access to their data free of charge in a commonly used format and within one month, to request correction or deleting of data and to object to data processing
These tips just scratch the surface of what the new law implicates, but this gives you a framework to tackle GDPR within your business. GDPR not only effects marketers and retailers, it effects any business that processes data. These tips come from how we’ve approached the changes in data law that GDPR is enforcing.
For detailed resources visit the ICO’s Guide to the General Data Protection Regulation (GDPR)
If you’re a small retail business looking for help then please contact our sister company Digital Team on Demand who will be able to swoop in a GDPR hero to help you plan for compliance by 25th May 2018.
Note that this blog post is not intended to construe legal advice or offer comprehensive guidance on GDPR. This is just our professional opinion.