Two months ago we mentioned that you should start preparing for the effects of the General Data Protection Regulation (GDPR) soon. The Information Commissioner’s Office (ICO) has gone one step further and suggested you should begin now. For all of us in email marketing and data retention their 12-step advice document is a must read. See: https://dpreformdotorgdotuk.files.wordpress.com/2016/03/preparing-for-the-gdpr-12-steps.pdf 

The document is written in clear, precise language and is an easy read. And read it you should, and now despite the GDPR not becoming law before mid 2018. 

These are:

1/ Awareness

You need to ensure that key people and decision makers in your company are aware that changes are coming.

2/ Information you hold

You need to start cataloguing the personal data you hold and all the details of it, such as whom you share it with. Ask yourself how long it would take you to organise and perform an information audit and whether you have the staff with the necessary skills. 

3/ Privacy notices

Review your current privacy notices, in other words the information you give to the someone when collecting their personal data, such as how you will use the information. 

4/ Individual’s rights

The main rights for individual under the GDPR are:

• Subject access,
• To have inaccuracies corrected,
• To have information erased,
• To prevent direct marketing,
• To prevent automated decision-making and profiling, and
• Data portability

5/ Subject access requests

You need to work out how to handle such requests within the new time limits. 

6/ Legal basis for processing personal data

You must not only identify the legal basis for your use of data but document it. 

7/ Consent

The GDPR requires you to demonstrate that consent was given for everyone on your email marketing list for instance.

8/ Children

How do you verify the age of a person, or gather the permission of a parent or guardian?

9/ Data breaches

You will probably require new systems to detect, report and investigate any breach of personal data.   

10/ Data protection

The ICO has produced guidance on Privacy Impact Assessments but you will have to consider how your will implement them. Privacy by design is the catch-phrase. It is a requirement as well.

11/ Data protection officers

You need to know if your company requires a Data Protection Officer and ensure that their position is clear to them and everyone else. The ICO reckons that the GDPR is quite clear that for data controllers, documentation is the new must have. And finally:

12/ International

If you do business internationally, you need to work out which supervisory authority you come under. It is, unfortunately, not always clear, and there is a possibility that it might change.

If it seems a lot to do then I’ve managed to convey the second most important aspect of this. The vital one is that you need to start planning now. If you have a trade body or association, chase them up for their advice and suggestions. 

We will cover the specific items in depth in future articles. In the meantime, get planning.