How to Ensure GDPR Compliance
Practical steps to take before the 25th of May
We’re two months away from the huge new data regulation rollout. If your business is not yet prepared, then you best read this article, stat!
The GDPR stands for the “General Data Protection Regulation”. Coming into place on the 25th of May, 2018, it is the European Union’s (EU) revised regulation on personal data that will ensure that the privacy of EU citizens is protected in this ever-advancing digital economy.
GDPR compliance doesn’t just apply to EU businesses, it applies to any business that deals with the personal data of EU citizens. This means that, even though your company may not be physically located within the EU, if it has a hand in processing the personal information of its citizens, then yes, it affects you too.
Replacing the outdated Data Protection Directive, which has been in place since December 1995, the GDPR assures to protect citizens from the misuse of their personal information. Along with more protection, it also offers more transparency and control so that consumers know how businesses are using, holding, and processing their information. The new regulation also introduces severe penalties for those who fail to comply. Businesses can face fines of up to €20,000,000 or 4% of the business’s annual global turnover should their GDPR compliance fall short.
So, how can you ensure that your business is compliant and doesn’t risk heavy financial penalties?
Steps to Take for GDPR Compliance
There is no single solution to make any business or organization fully compliant. It requires substantial planning and resource investment, as well as time and effort from everyone involved in your company.
We at Zenkit, being an EU-based business and all, thought to share some practical tips to ensure your business adheres to GDPR compliance:
Create an Action Plan
By now, senior management should already have their heads wrapped around the new regulations and what is required for total GDPR compliance. From here, the next step to take is to create a plan of action. A few suggestions on what your plan should cover:
- Education and training for your entire business
- Conducting a data audit
- Developing and implementing security measures to avoid any data mishaps
- The process of how to notice a loss or breach of data, and the steps to take to report it
Educate Your Team
Company-wide compliance is a team effort, so it is imperative for all staff members to fully understand the details of the GDPR, regardless of whether or not they work directly with data. Provide training and information — which can be found in the General Data Protection Regulation PDF — and ensure your staff members are aware of the risks and consequences if the requirements are not met. Everyone involved in your business needs to be aware of the new regulations and where they stand. This includes clients and service users, don’t forget to pass the message on to them as well.
Data minimization is one of the specifications of the GDPR. It is to ensure that your business only holds and processes information that is absolutely necessary for duties to be carried out. Irrelevant data that does not benefit your company in any way shouldn’t be kept (what’s the point?). Establish what needs to stay and whether it’s better off erased or encrypted. Also, ensure that unauthorized access is prevented by reviewing and restricting access to personal data to only those who do the actual processing.
Eliminate Consent By Default
Consent by default is no longer acceptable under the new regulation. Policies must be changed to comply with explicit consent requirements such as recognizing the age of consent in each member state. The GDPR asserts that children cannot give lawful consent, and the age when someone is no longer considered a child varies in different countries. For instance, Germany and the Netherlands state 16 as the default age where consent can be given, whereas countries such as the UK and the Republic of Ireland are lowering it to 13. Ensure your data controllers and processors are aware of the different laws in different member states.
Embrace a “Privacy By Design” Approach
GDPR compliance involves adopting a privacy by design approach which includes undergoing a data protection impact assessment (DPIA). This ensures that data protection is considered and included from the very beginning of system design, instead of being an addition. Undergoing a DPIA helps to identify and reduce the chances of any breaches and data-protected related risks from happening in a new project.
Invest in a DPO
DPO stands for Data Protection Officer and it refers to individuals who are formally placed in a business to oversee protection strategies and to ensure compliance with the new requirements is in full swing. The new regulation states that hiring a DPO is mandatory for businesses whose main activities involve monitoring data subjects on a large scale, special categories of data, or working with data relating to criminal convictions and offences.
For businesses where it is deemed not compulsory, it may still be worth investing in a DPO. Having one in the office ensures that there’s an expert on hand to provide information and training to employees across the business. If the budget doesn’t allow for the new recruit, then appointing a staff member to be fully trained in GDPR compliance could be an alternative solution.
GDPR compliance is crucial to ensure your business is permitted to keep operating. The purpose of the GDPR is to protect the privacy of EU citizens and to create a harmonized data protection regulation throughout the continent. Businesses that fail to comply not only risk the heavy financial penalties imposed by the GDPR, but also the loyalty of customers. Put yourself in the shoes of a consumer — we’re all one in some way or another — and think about what kind of company you would place your loyalty to; a brand that wants to protect your privacy and is transparent about what they do with your personal data, or one that is rather nonchalant about it?
For businesses who’ve already started the ball rolling, let us know if there are any steps you’ve taken that differ from the ones we’ve suggested. Exchanging tips and info will only help us all become one step closer to full GDPR compliance.
Dinnie and the Zenkit Team