Everyone has been talking about the General Data Protection Regulation (GDPR) now for what seems like forever, with most organisations now aware and starting to understand the implications. We are all receiving a number of emails every day that are trying to scare us into taking some sort of action but the truth is no one really knows what is going to happen come the 25th May 2018 when the GDPR comes into force as it has not yet been fully defined. We do know that we will need to change the way we work when it comes to how we collect and use personal data.
One thing you can do which will help you on your GDPR compliance journey is to be totally transparent about where the data you hold sits and what you do with it. For example, editing your Privacy and Cookies policies to show exactly what you intend to do with the data you hold and giving people the option to opt in, rather than automatically opting people into receive emails even with the option to opt out. Make a list of where all the data in your business resides that contains personally identifiable information, knowing where this data lives is the first step to protecting it.
Let’s look at a few of the myths surrounding the GDPR
- It is just a problem for your IT department to deal with whether that is in-house or outsourced.
This is not true, everyone needs to be fully aware of the GDPR and the way they need to be processing and handling personal data at all levels of every organisation. The GDPR should signify a change in culture within every organisation that deals with personal data and this needs to be a companywide change.
- Every organisation needs to appoint a Data Protection Officer (DPO)
Many organisations will need to appoint a DPO who will play a key role in ensuring GDPR compliance but not every organisation that deals with personal data needs a DPO, so how do you know if you should be looking to appoint one?
You need a DPO if:
- You are a public authority (except for courts acting in their judicial capacity)
- You carry out large scale systematic monitoring of individuals (for example, online behaviour tracking)
- You carry out large scale processing of special categories of data or data relating to criminal convictions and offences
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation can appoint a DPO regardless of whether the GDPR obliges you to or not.
- You can quickly and easily comply with the GDPR
To become GDPR compliant, you must involve multiple departments, including Legal, Marketing, Sales, Finance and HR, this in itself makes for a long process. Having to look at your processes and databases will mean a significant amount of planning and organisational work. With the GDPR coming into force on the 25th May you do not have much time.
If you would like to discuss your organisations GDPR compliance then please feel free to contact Complete I.T.