It’s only a few months until the General Data Protection Regulation (GDPR) comes into force, with May 2018 creeping up. This new regulation created by the European Commission aims to standardize data protection procedures across the EU. Companies will be required to comply with measures regarding the data they hold and how it’s managed.
Even with Brexit looming, this does not mean that GDPR will not be of importance to companies within the UK. Making sure you’re compliant with GDPR is essential for any company that wants to do business within the EU, so it’s crucial to make sure you’re prepared for May 2018.
Data protection goes beyond being a legal necessity, but is also an important step in creating trust with your customers. It’s a process that requires transparency from your company. There are several steps you need to take now in order to make sure you’re compliant with the new regulations, and we’ve created a checklist to make sure you’re prepared:
Take a Personal Data Audit
By taking a personal data audit you will be able to help identify each of your data processors. This will help you identify which data processors are first-party and which are third-party. For every third-party data processor you will need to double-check their privacy policies to make sure they are GDPR compliant.
Update your Private Policy
Update your privacy notice to explain clearly what information you collect and how you use it. A huge part of GDPR will be about communicating with users about how and why you are collecting data, therefore you’ll need to be upfront and tell them exactly why.
Make your Cookie Notices are affirmative
Currently the standard text phrase that is included in Cookie notices is “by using this site, your accept cookies.” Under GDPR this is no longer going to be compliant, as it only suggests implied consent. You will now need granular levels of control with separate consents for tracking and analytics cookies, as well as mechanisms to also signal customer consent. They need to make an affirmative action.
Review how you capture and store Data
You will need to review your data capture functionality, including the databases, systems, and resources that you have. This will keep all personal data safe and help you manage communication preferences.
Review website
Any weaker parts of your website should be highlighted during your personal audit. Examples of these could be insecure email accounts, contact form submissions, opt in strategies, and opt out strategies. Whatever weak links you find, you will want to either strengthen them or remove them.
Clean up your Email Database
Make sure to clean up your email databases. If your database of subscribers were not collected according to GDPR standards, then you will need to do some cleaning up. This could include sending them a re-permission email so that they can choose to re-opt in. This will provide proof of consent and make your business GDPR compliant.
Make sure Users have a choice
You will need to review the users ability to update their own consent/communication preferences on your website. It is essential now that users have explicit choice in how they are contacted and what they are contacted about.
Revise Opt in forms
GDPR compliance will now mean your contact forms will no longer be able to use pre-ticked boxes, or default settings. You will now have to actively ask people to opt in. This is required to ensure people have a genuine and free choice.
The Information Commissioner’s Office (ICO) advises that you should provide a separate opt-in for each purpose. This is so that, “People should not be forced to agree to all or nothing – they may want to consent to some things but not to others.” You should also make sure people can easily exercise their right to withdraw consent, and use clear and plain language when explaining consent.
Update Policies associated with GDPR
You will need to update your associated policies e.g. a data protection policy. It is important for businesses to have documented policies in place to enable your staff to have a clear understanding of what is required of them.
These policies that will need to updated include:
- Data protection policy
- Training policy
- Information security policy
- DPIA policy
- Retention of records procedure
- Subject access request from and procedure
- Privacy procedure
- International data transfer procedure
- Data portability procedure
- Complaints procedure
You will need to review and update these in accordance with GDPR.
This checklist provides you with the information you need to be confident that your business complies with GDPR. By doing this you will be able to operate with self-assurance, but also increase customer trust in your business.
