With the countdown in single digits, we’re nearing the time where GDPR will stop being a mythical being and become real, cold hard legislation. Like it or not, GDPR is here to stay, and yet many businesses still aren’t ready for what that means. But if that’s you, don’t worry. We have 6 last minute ways you can prepare for GDPR to make sure you won’t fall foul of the new rules. Bear in mind this isn’t designed to be a complete guide to compliance, more a few simple steps you can take to make sure you’re meeting the minimum standards required, before delving into the more in-depth stuff a bit later on.
Familiarise Yourself with The Regulation
If you haven’t done so already, take a few minutes to read through the regulation. Because it’s an EU law it isn’t written in such complex legalese as some, so it’s fairly easy to understand. Reading through will help you gain an understanding of what your responsibilities are, and what kind of data it aims to protect (i.e. name, address, ID numbers, location, IP address, cookie data, RFID tags, health and genetic data, biometric data, racial or ethnic data, political opinions, sexual orientation).
Do A Complete Data Audit
Once you know what you’re looking for, it’s time to do a complete audit of the data you already hold. This is going to be the most time-consuming element, but ultimately the most important. You will need to go through all your systems (digital and physical) and determine the following:
- What personal data you hold on EU residents
- What is your lawful basis for processing
- How it was collected, and have you provided a fair processing notice
- Where it is stored
- How secure it is
- What risk factors there are
- If you actually need all of that data
This is also a great way to ‘spring clean’ your data. If you find data that you don’t really need, then get rid of it. For example, if you have a huge mailing list with a lot of inactive users, consider refining the list to remove those who really don’t need to be on it. Now, you have a refined database of people who actually want to hear from you – a bonus for your marketing!
Plan For Minimal Collection
Going forward, make it a policy to only collect the minimum amount of data you need. No more collecting as much as you can ‘in case you might need it’. Instead, decide what data is absolutely critical or important for your business processes, and only collect that. Anything above that becomes an unnecessary liability, and difficult to justify possessing with a valid lawful basis for processing.
Update Your Marketing Strategies
Because GDPR has stronger rules on consent than its predecessor, you will need to take a look at your marketing strategies. Prospects must now actively opt in to hearing from you, and you need their express permission to collect and use their data. In other words, you can’t use tricks like pre-ticked boxes to gain consent or be unclear about what people are consenting to. This change might mean you need to update your website, print materials and forms so that it’s made clear what the data will be used for. You’ll also need to update your cookie notification with the ability for users to disable cookies early on and still use your website.
Conduct A Cybersecurity Review
Cyber crime is on the rise and it’s getting more sophisticated year-on-year, so if you rely on computer networks to store, collect and share data across your organisation (which most do), you need a cyber security review. Some things to ask yourself include:
- Is the network safe and secure?
- How easily can it be breached?
- Are there potentials for data leakage?
- Are your employees security savvy?
- Is your data encrypted?
- Are your devices protected from malware?
Contact Third Parties About Compliance
If you use third parties to process any data, then you need to make sure they are GDPR compliant as well. This could be a marketing company who is handling your mailing list, or the IT company hosting your backups. So, make sure you contact them and get their assurance of compliance.
Of course, this list isn’t everything you need to do but it’s a great starting point on the road to GDPR compliance. From here, you will need to take into account a number of factors, and odds are, some changes will need to be made. If you’re still struggling with GDPR compliance at this late stage, it’s worth bringing in an GDPR consultancy expert to help you. At Bridewell, we’ve been working tirelessly with business owners across the UK to bring their systems and processes in line with GDPR before the clock ticks down on Friday.
For more information on how Bridewell’s services can support your organisation, get in touch with our team for a confidential conversation.