12 steps to becoming GDPR compliant
On the 25th of May, 2018, the GDPR became law. The multitude of provisions to protect users privacy are a bit of a legal minefield for marketers, who are always hungry to use customer data where ever possible so they can better target customers with propositions. Given its importance, we have shared much advice from legal specialists on the Implications of the GDPR for marketing in UK and Europe.
In this post we're alerting you to the opinion that matters most in the UK - that of the Information Commissioner's Office who is responsible for implementing GDPR in the UK. In this new guidance of implementing the GDPR in the UK the ICO provides more information to help companies become GDPR compliant over the next few months, so make sure to utilise the resources they produce to help your business.
The good news is lawmakers have given businesses a full two years to become compliant. Sound like a long time? You'll be surprised at how fast it will go. Here is the GDPR implementation timeline.
To help companies make the most of that two years and ensure that they don't miss the deadline for being compliant the information commissioner's office have helpfully created a 12 point checklist for conforming to the GDPR's regulations.
Make sure the leaders in your organisation are aware of the timescale for implementing necessary changes for being compliant. Don't assume they've got a handle on it!
2. Information you hold
Make sure to keep a record on what personal data you hold, where it comes from and who it is shared with.
3. Communicating privacy information
You should review your privacy notices and plan for how they will have to change to be GDPR compliant.
4. Individual rights
Check your processes to make sure you will be able to delete a person's data if they request it or provide them with their data if they request it.
5. Subject access requests
Think about how you will handle requests within the new timescales and provide any additional information.
6. Legal basis for processing personal data
Identify the legal basis you have any data processing you do. Make sure to document it thoroughly.
Review how you are getting your customers consent for any data collection, and check that it meets new guidelines. If not, plan how you will make the changes.
You'll need to put systems in place to verify ages and get parental consent for any data collection on children.
9. Data breaches
You should ensure you have the right procedures in place to detect and investigate a personal data breach.
10. Data protection by design and data protection impact assessments
Plan how you will pass a privacy impact assessment, and implement any changes required to be compliant.
11. Data protection officers
Designate a data protection officer if your organisation is large enough. If too small for a dedicated officer, you still need to assign the responsibility for compliance to someone in the business.
If you organisation operates globally you should make sure what supervisory authority different parts of your organisation falls under.
Develop a timeline specific to your organisation
The 12 pointers provided by the ICO are a great place to start, and help to structure your thinking when it comes to becoming GDPR compliant. But they're just a first step and a handy way to check you've got things covered. Use these 12 points to build a much more detailed timeline for implementing the changes you'll need to make to become compliant. Doing so will take all sorts of different departments working together, so make sure to get all the stakeholders on board and don't set any unrealistically short timeframes that lead to overrun. Once you start planning all the changes, you'll need to put in place you will soon find that two-year implementation window starting to look a little narrow. So make sure you don't put it off, and start planning now.
For more information on the 12 steps mentioned above, you can download their short report on the 12 steps to take now.