I've had a few queries regarding the upcoming GDPR legislation. The upcoming changes affect different kinds of businesses in different kinds of ways, and the amount of information out there is overwhelming.
It is important to note that although GDPR deals with information and data processing it is not, nor was ever intended to be, an IT-led policy. Your company's strategy should be led by your legal team or people with specific training in GDPR legislation. For those of you who deal exclusively with B2B sales what I detail in this post is likely accurate enough and your exposure is limited. But for those of you in the B2C world, and who market to your customers extensively or resell customer information it would be advisable to seek out specialist advice.
Will GDPR apply to my business?
GDPR applies to any business that handles or processes personal data of EU citizens. This doesn't just mean customers - employee, supplier and partner data is also included.
So what's it all about?
A successful GDPR strategy is all about process - knowing what you have, how you got it, and if someone asks can you find it?
- What personal information do you have?
- Employee data, customer contact information, supplier contact information
- How did you get this data?
- What consent was given?
- Who has access to your data?
- Is the data stored on a shared folder that everyone in the company has access to?
- Does everyone who has access need access to this? Or can we restrict the number of people that can access the information?
- If someone asks you to remove their information, can you do it?
- How can you find their information?
- Are you sure you have deleted everything?
- How can we ensure their data isn't restored with a back up?
Finding the answers to these questions already puts you on the right track, begining to formulate your data processing standards.
So what must we do?
At minimum, you do need to have some written policies in place to demonstrate compliance.
- Data Protection Policy - a guide for employees regarding data. Explain how they are allowed to use data, how they can keep it secure, and the consequences of misusing the data.
- Data Retention Policy - a document explaining when data held electronically should be deleted.
- Data Breach Incident Policy - a document specifying what to do should a data breach occur.
Depending on your business, other policies may be required such as a Social Media Policy and a Marketing Policy.
The documents need not be overly verbose, but they do need to be detailed and cover all the different information your company holds. They also need to make it clear who is responsible for what kind of data.
How does the right to be forgotten figure in to this?
If someone requests to have their information removed - either a customer or an ex-employee - this request should be complied with.
In the case of an ex-employee, if there is legislation regarding specific data retention (e.g. Payroll data), this trumps their request.
It is not necessary to delete their information from back ups, however there needs to be a process/policy in place to make sure their data is not restored if you have to recover from a back up.
I deal with a lot of marketing and haven't even thought about this, should I panic?
Not panic, but I'd encourage you to have a conversation with us.
These documents that you say are needed, do you have a boiler-plate document we can use?
We are pulling together outline documents, but we don't have a template that you can just stamp your name on and re-use. It's important that this process is thoroughly audited, and it's recommended that notes are taken of this so that how you got the the conclusions that you did are reached. Part of the legislation is about showing that you've made every effort to comply - not just download a template from the internet and fill in the blanks.
If this is something you'd like us to help you with, please do get in touch.
12 steps to take now - Preparing for GDPR - from the Information Commissioner's Office.