Preparing for the GDPR is an item on most businesses’ agendas by now. Inundated with marketing emails and written content from various providers, businesses are being offered help with systems compliance on a daily basis. With the wealth of information available, it can be difficult to scale the task ahead and decide whether your business needs a full compliance audit or a more moderated approach.
Ultimately, data is your crown jewel as a business and it is essential to know whether you can use it and how you can use it, come May 2018. This applies regardless of the size of your customer databases. Accordingly, some kind of audit is strongly advisable; whether it takes the form of a detailed audit of all of your business data processing and systems or provides more of a ‘roadmap’ for the way ahead will depend on the scale of your processing activities and how dependent your business is on using personal data. Retailers and others in the direct-to-consumer business area will be likely to need a more detailed audit than a business-to-business model where very little data (beyond supplier contact information) is processed.
All audits/roadmaps would need to review your online and offline customer/client journey and to consider the third-party service providers you may use as well as your internal policies. We are finding in practice that businesses are often unaware of the myriad data processing activities occurring with their client data – particularly in marketing where profiling and online behaviour tracking are commonplace technologies used by many providers but which are also restricted under the GDPR.
The following list summarises some low-hanging fruit to get you a few steps ahead on the GDPR roadmap while not exhaustive and in no way a substitute for an audit!
- Remove the pre-ticked box in your customer sign-up journey. If you aren’t already embarrassed by it, you will be next year.
- Get that data mapping done. Some of an audit’s value is done before it even begins as the questions we ask then force you to begin the process of deciphering what data goes where. It may come as a surprise how many third parties see and use your data. It may also be a surprise where those third parties are based.
- Get somebody on your board to take charge of GDPR compliance. It will make those budget conversations much easier. Business unit heads need to be accountable too.
- Once the data map is complete, task someone with drawing up a list of all the third parties who handle your business data in order to dig out all the contracts. You must have a set of reasonable processor terms that you are happy with to try and impose on your counterparties. You should also have an idea of what you will and will not accept should others force theirs on you (and what your plan B is if an agreement cannot be reached). Helpfully, there is ICO guidance now on what these contracts must say.
- Privacy Shields. Model Contracts. Binding Corporate Rules. These terms may all sound
equally foreign and impenetrable. For now, it is likely that model contracts will be the simplest way of ensuring compliance with overseas transfers outside the EEA (although now it has been approved, you can also use Privacy Shield for transfers to the US).
- Talk to the people in your IT team and not just the director in the team. Do you have a suite of policies (some of which may have accompanied staff from their previous workplace) or do you have a single page in your staff handbook? They should be compared to publicly available ICO guidance on common security errors businesses make. Find out what happens in practice in your business. There is more obvious stuff in there such as encrypting laptops but also more esoteric advice on SSL technology and hashing and salting of data. Do you impose a security questionnaire on your data processors?
- Draw up a data breach plan, a records retention policy and a subject access policy.
- Get a wall calendar with project milestones on it.
- Finally, you might start looking into software solutions that assist with documentation. Half the GDPR battle is logging compliance!
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.