The introduction of GDPR might seem like a long way ahead, but May 2018 is rapidly approaching.
If you haven’t heard of GDPR – General Data Protection Regulation, you need to get up to speed, quickly.
Head over to the ICO website now to find out more (don’t worry, it’ll open in a new tab/window so you can continue reading this when you’re done).
By the end of this blog, you should have a clearer idea of what you need to be doing and thinking about now so you’re GDPR compliant when it does become a legal requirement.
The first step towards being GDPR compliant is auditing how you currently hold and process data
It’s critical to understand the data you hold for your business, and where you store it.
That means carrying out a data audit.
It’s good practice to be doing this under the current Data Protection Act, so if you haven’t done it recently it should go to the top of your to-do list.
The first step is establishing how and why you store data.
- Do you have paper-based records, or is it all stored online, or on a hard drive?
- Who else has access to the data you have control over?
- What permission do you have to collect and use the data you have?
Knowing the software that you use to process data is important for GDPR compliance
Have a good think of all the software, apps and tools you use for your business – this includes storage systems (Dropbox, Google Drive, etc.), Microsoft products, CRM systems, email accounts, hosting providers, etc.
Make a note of any that is cloud-based and find out where the servers are located, and what is that company are doing to ensure they’re compliant with GDPR.
Ok, whilst we’re talking about storage, there’s a few additional points you need to consider.
How long do you need to keep the data for? Have you looked into any professional, legal or insurance requirements for a set period of time?
How are you currently destroying data, and is that the most secure method?
Once this is completed you’ll have a better understanding of how GDPR will impact on your business when it rolls out, and what you’ll need to do about it (this information is expected to be available from January 2018 and I will keep you updated, so watch your inbox).
Encrypting data is a key task in ensuring it’s responsibly protected according to GDPR requirements
You’ve seen those articles about memory sticks left on trains, or found on the backseat of a taxi, that contain medical files, or information belonging to Government Ministers, right?
You might think that kind of thing would never happen to you, and you’re hardly storing life-changing information anyway, but mistakes happen. What if your personal information was on a device that fell into the hands of someone else – how would you feel?
You need to be making every effort to ensure that the data you store is responsibly, and reliably, protected.
To review your devices, you need to answer the following:
- What devices do you use to access software and personal data?
- Do you store personal contact details on your mobile phone/tablet?
- Who has access to these devices?
- If you have employees or associates, do any of them access the systems, software and data using their own devices?
Make a list of every device used and the data that’s kept on them – then encrypt them!
Is the data protected against hackers, malware and viruses?
Anti-virus, malware and spyware protection is essential for anyone using a computer or laptop these days, and few of us don’t have one installed.
But what about your mobile phone or tablet?
If you haven’t already, install appropriate software on every device – you may need more than one to be sufficiently protected.
Keeping passwords secure is an important aspect of data security, and it can also help to prove you’re making every effort in keeping the data you hold secure.
You need to make sure you’re using a password manager, I use LastPass.
Make sure you’re only using strong passwords that are unique, ideally allowing your password manager to generate them for you.
One final word on newsletter and subscriber mailing lists and GDPR
I’ve had a lot of questions about mailing lists and the software used to create them – will they be GDPR compliant?
Whether you use software, such as MailChimp or Mailer lite, or you hold the information manually, you need to be asking yourself some questions:
- Were all signups collected via a double opt-in?
- If not, can you prove that people gave their permission to be added to the list?
- Do you have pre-ticked sign-up boxes on your website contact forms? These are not permitted under GDPR
- Is it clear what people are signing up for? Are you specific about the communications they will receive?
Under GDPR you must be explicit on how you are using the information and what your subscribers will be receiving in return – promising a newsletter delivering your latest blog but sending them sales promotions, would be a breach.
As you can see, there is a lot you need to think about when preparing for GDPR. To make it easier for you I’ve been working with KoffeeKlatch and together we have produced a GDPR planner that you can download now and start using right away.
Download the GDPR PlannerStill confused or need some help getting started then take a look at our GDPR Preparation Service. Working with us will help you to fully understand the data you hold, where it is located, if you have the consent you need and the next steps you need to take will not only reduce your stress, but it will also give you time to focus on your business.
I need some help with GDPRDisclaimer: This blog has been written Banks’ Business Solutions and represents our interpretation of guidance made available by ICO on this topic. It doesn’t provide any legally binding guidance and you should ensure that you take your own legal advice to ensure you comply with the full requirements of GDPR for your business.