24 July 2017
If you have read our previous blogs on what is GDPR and the ICO advice on GDPR, you will know that the General Data Protection Regulations apply to your business and need to be conformed to by May 2018. You will also know that there is a lot to take in and actioning all of the requirements is causing a lot of headaches! However, to help launch your GDPR journey we have split down tasks into some bitesize chunks so that you can start making headway.
All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice.
So the ICO has summarized GDPR in 12 specific areas. However, these points can be addressed in 4 different tasks. This does not include the first hurdle – getting the relevant people to know that it exists and agree to do something about it! This includes assigning roles and tasks, including considering appointing a formal Data Protection Officer (DPO).
The main part that a lot of people are focussing on with GDPR is consent, as this is heavily effecting marketing activities. For consent, the new law discusses positive opt-in. For example, on a web form, you will need a check box (unchecked as default) with a link to your policy on what you will do with the data. You will need a way of recording that they have opted in, and against what policy.
For example, if you were to fill in the sign-up form linked to this article, so that you can be kept up to date on data requests, you have a check box and a link to our policy. This will then notify us with your details, the date of submission and with the response to the check box, which we will add against your details as a record. Our policy agreements are all recorded by date, so we will be able to show the policy at the time of submission.
Consent is required to be an option; it should never be a mandatory part of providing a service or product. However, it should be noted that consent is not the only lawful basis under which data can be processed. For example, if you require a person to provide personal details for a credit check before providing a service, this cannot fall under the consent law. In this case, you would choose a different lawful basis and be clear about this when requesting the details.
Other areas of GDPR need to be done before the deadline, but with consent the sooner you get compliant the more useful your existing data will be. Once you are collecting consent, you can direct people to your methods of data capture. Useful blogs and white papers are fantastic ways of attracting people to your site, with data capture form and consent check box.
Requests from contacts to access what data is being held, to update it, or be forgotten, is proportionally difficult to the number of places that you hold data. Now that you will not be able to charge for requests and need to respond within one month, making it as easy as possible to do this is a must. Please remember, you need to have details on why you hold contact data, so if you have various different reasons within the business you need to make sure that you are logging that data.
If you are running a single integrated ERP system such as Microsoft Dynamics® NAV or Microsoft Dynamics 365, accessing contact data is easy as it is all stored in one place. This could even be as simple as a report that gets run and automatically sent to the person who is making the request.
This is a very difficult area to cover – the obvious question is how do you know when someone is hacking you?! A large part of this is just having a policy in place, especially regarding reporting and investigating. However, having something in place for detecting breaches is more difficult to achieve and largely comes down to the platform that your data is held on.
A lot of cloud solutions, such as Azure and Office 365, have treat and breach detection, based on unusual activity, etc.
Something to consider here is the level of responsibility that you hold. With an on premise solution with your own servers, you are responsible for every aspect of the security of the data. With cloud based solutions the responsibility is shared with the providers, allowing you to make the policy point at the supplier policy. Have a look at the white paper by Microsoft regarding shared responsibility for more information.
A lot of companies are concerned about the new regulations, with smaller business struggling to deal with the implications. The main piece of advice with all of this is to make an effort. If you do nothing and do not meet the requirement you are likely to be hit with a crippling fine!
We will continue to publish advice as we gain further insights. Our next blog will discuss some bad ideas that we have heard, as well as dispelling some myths that we have seen. To join our mailing list, please provide your details in our newsletter form.