The GDPR deadline is looming and from the 25th May, all businesses and organisations that collect the data of EU citizens will need to be compliant. If you aren’t, then there is the potential for heavy fines. As you may have noticed from the number of GDPR related emails you’re getting in your own inbox, virtually every company you deal with is making preparations. If you haven’t yet got around to making the necessary changes, here are the main things you will need to do before the deadline.
1. Get consent from interested parties to collect, store and process their data
According to the new regulation, you must ask for explicit and positive consent’ before obtaining the data of users. This means that when collecting personal information, such as asking for email addresses, you must provide a means for them to give consent. This may mean you need to create a consent field on any online forms. You must also state why you are collecting the data and how you will use it.
If you already hold data for which you do not have consent, you will need to go back and ask for it. This is one of the reasons why so many companies have been sending out GDPR emails to their customers asking if you still want to receive newsletters or offers.
2. Strengthen your data protection by design
To comply with GDPR, your business or organisation has to have a ‘start to finish’ data protection policy. This means ensuring that data is secure right from the moment a user sends it to your server, during transit, throughout processing, in storage and even when being deleted.
Part of the processes of developing a ‘Privacy by Design’ system must involve a ‘privacy impact study’ which should look at how any changes you make will help protect data and prevent data breaches.
You don’t have very long to do this, so if you haven’t begun the process, the best solution in the short term is to audit the security you already have in place and then look for weaknesses which you can quickly implement, such as obtaining an SSL certificate, backing up your website and data, making sure you have a firewall in place and that your site and email are scanned for viruses. Make sure, too, that strong passwords are used.
If you host that data on a third-party server, as most website owners do, you also need to ensure that your web host’s server is secure and that any processing they do on your behalf is GDPR compliant. Make sure your host provides you with a Data Processing Agreement. You may also find that you host needs to make changes to their agreements and SLAs in order to be compliant themselves.
Privacy policies explain to users how and why you collect their data and how it is used. GDPR will require you to make changes to your policy because it will change the way you need to treat data.
You need to be careful, here, that you have a full understanding of ‘personal data’. It includes any information that can be used to identify a person. This means that such things as visitors’ IP addresses, which are collected by background software and plugins, could, when linked to other information, be seen as personal data. So even if you don’t collect personal data for business purposes, you may still be collecting it unwittingly in order for your website to operate.
With this in mind, you may need to make changes to your policy. For example, telling users if you collect data for which you do not need consent, such as IP addresses which are used solely for web security or integrity. Your policy should also inform users how to contact you in order to have any data deleted.
4. Updating other policies and agreements
5. Human resourcing for automated profiling decisions
If your business makes automated decisions about customers based on data profiles, such as in granting credit (credit scoring) or offering memberships, these may no longer have legal standing after GDPR comes into force.
Under the regulation, individuals can refuse to be the subject of a decision based on automated processing. Inaccurate data and errors in processing have caused people to be wrongly treated in the past and the new regulation is designed to prevent this. If a person challenges an automated decision, you will need a human to look at the case.
Whilst this doesn’t mean businesses have to scrap automated data-based decision making, it does mean they have to have the human resources in place to deal with any customer who refuses to accept the decision.
With deadline day approaching, if you haven’t yet begun to address the changes GDPR imposes, you’ll need to do so quickly. Hopefully, this checklist will help. However, if you are having difficulties, make sure you check the Guide to the General Data Protection Regulation on the Information Commissioner’s Office website.