What do you need to do to get your practice ready for GDPR? In our sister publication Dealer Support, Graham Hansen at HRC Law took an in-depth look – we share his insight and advice
GDPR has been a key topic of discussion for some time now but, with the new legislation coming into effect from May 25 this year, businesses have considerable preparatory work to do to make sure they’re compliant. The countdown is on.
Most will agree that the changes are a positive step – perhaps long overdue in this digital age – but, for many businesses, GDPR is causing a great deal of confusion in terms of what the changes actually mean from a practical perspective.
HRC Law conducted research on what business owners have been searching for online in relation to the upcoming changes to GDPR. A huge increase in searches highlighted that it is increasingly on business leaders’ radars. However, a 450% leap in the most frequent search term, ‘GDPR compliance’, indicates that companies aren’t clear on what the changes mean for their organisations.
GDPR has bigger, sharper teeth than its predecessor, including substantial penalties for non-compliance, so businesses need to be confident they won’t be caught out.
So let’s get you GDPR ready…
GDPR will have an impact on all businesses but – with some needing to use ‘personal data’ more than others – the first step is to understand what personal data you have, where it came from and how you will need to use it after May 2018.
The good news is that the new legislation builds upon on many of the concepts and principles used in the current legislation; if you comply with data protection laws now, you’ll have firm foundations to build on. If you don’t, it’s high time to get your foundations in place. So, here’s a look at some of the key areas that will be changing and what they mean for your business.
Consent: There is still widespread confusion around the increased consent requirements, with people mistakenly believing businesses will no longer be able to process data without it. Instead, you should focus on why you have and want to use the data and decide whether other, more appropriate legal bases for processing exist, such as having a legitimate business need or a legal requirement. However, there will still be obligations to provide required information to data subjects even if consent is not necessarily needed.
In a similar vein, some people are worried they won’t be able to use an email database for marketing to their audiences because of GDPR. In fact, it is only the threshold for consent that’s being changed. The requirements for consent are driven by the Privacy and Electronic Communications Regulations, which may be changed by the e-Privacy Directive in due course.
Rights to access data: As before, customers/patients will be free to request a copy of their data but organisations and businesses will now have to comply within the month and provide the first copy free of charge. This may seem like a simple request to fulfil; however, as a small business, your CRM system may not lend itself well to this. Data may be scattered across servers or departments and an influx of customer requests could be a drain on resources. Now is the time to ensure your systems will be able to handle a large volume of requests.
Right to be forgotten: Businesses/organisations shouldn’t hold onto a customer’s data indefinitely – they must keep only what they need; if it’s very old, and of no use to the business, delete it. Under the Regulations customers will gain new rights, one of which is the aptly named, ‘right to be forgotten’ (…Mr Who?)
Data protection: New regulations will take cybersecurity up a notch. If you don’t already, now may be the time to get an IT expert on board to lead encryption and pseudonymisation. This tongue-twister is a new concept which means personal data can’t be attributed to a specific individual without more information (think high-tech pseudonym!)
Data breach: Should the worst happen, and your business commits a data breach, you must notify the regulator – and in some cases your customers – within 72 hours.
Some of these changes will take time to implement so, if you haven’t already done so, you should start preparing now.
Try starting with the areas below.
Delegate: Clearly delegate responsibility for compliance to someone within your business. This doesn’t necessarily mean you will have to appoint a data protection officer (though some businesses will have to) but it does mean you need a considered and documented approach. The changes will affect different organisations in different ways. Whoever is responsible for compliance should know enough about how your business operates in order to be able to spot problem areas.
Carry out an information audit: An audit of the current situation should be every business’ starting point. Now, more than ever, you need to know your data; the legal basis for processing it, at what points you collect it and your system’s capabilities. This can feel like a monumental task so we’ve developed a checklist and audit package to guide our clients through this stage. Look at how your organisation uses personal information – this will help to highlight problem areas and prioritise when and where to focus initial energies.
At a minimum, you need to know:
- what personal data you hold;
- where it came from;
- who you share it with.
Draft an action plan: Begin by targeting areas that will most affect your organisation (or take the longest to implement, such as contractual renegotiations) and leave no stone unturned.
We know that businesses are finding IT to be a big obstacle in the planning process, so we urge companies to understand, as soon as possible, whether their existing IT will allow them to make the necessary changes.
Some companies we’ve conducted GDPR audits for have found they are limited by their own IT infrastructure and software. An example of this was not being able to have different review periods and deletion dates for different categories of data subjects. It is crucial to understand these restrictions in good time to review the situation and address it with the IT team, while not disrupting business continuity.
Waiting for the full picture
It’s important to bear in mind that that we don’t yet have a full picture and we are still waiting for guidelines from the Regulator which will provide extra details and context for how they will apply GDPR; however, we do understand the core principles and it is important for businesses to take steps now to start to get their houses in order.
Businesses must take care not to leave it too late or, potentially, hinder business growth in the meantime. Many of our clients are being asked about their approach to GDPR in procurement and tender processes, for example, so it’s important to know what issues will affect you.
Time is still on your side, but preparation is key. Don’t leave it too late.