Top 3 Steps to GDPR Compliance

.

What is GDPR?

GDPR is a new EU wide regulation that sets out the framework, principles and rules under which to obtain, use, process, hold, distribute and retain personal data.  If you don’t have personal data then GDPR does not apply to you.

However, all business are going to hold some personal data whether it’s:

1. Employee data – this includes the usual details as name, address, bank account details and also under GDPR an employee number issued by the employer is personal data.
2. Supplier details – yes the sales and accounts people you have on record from your suppliers constitutes personal data.
3. Customer data – again personal data
4. Prospect customers – again personal data
5. Other data – CVs, marketing lists , email addresses, phone numbers , cookies, URLs

This is not a full list, just an example of how you can categorise the personal data you hold.  Basically, if you are not sure if it’s personal data it might be safer to assume it is!

What is GDPR?

GDPR is a new EU wide regulation that sets out the framework, principles and rules under which to obtain, use, process, hold, distribute and retain personal data.  If you don’t have personal data then GDPR does not apply to you.

However, all business are going to hold some personal data whether it’s:

1. Employee data – this includes the usual details as name, address, bank account details and also under GDPR an employee number issued by the employer is personal data.
2. Supplier details – yes the sales and accounts people you have on record from your suppliers constitutes personal data.
3. Customer data – again personal data
4. Prospect customers – again personal data
5. Other data – CVs, marketing lists , email addresses, phone numbers , cookies, URLs

This is not a full list, just an example of how you can categorise the personal data you hold.  Basically, if you are not sure if it’s personal data it might be safer to assume it is!

Does GDPR mean I cannot hold personal data?

No. GDPR regulates the conditions under which you can obtain, process and use personal data. There are six legitimate reasons to obtain, hold and process personal data and these are

1. Consent – positive affirmation – basically it’s an opt in process
2. Public interest
3. Legal obligation
4. Contractual
5. Vital interest of the data subject (you and me)
6. Legitimate interest of the Data Controller

The main areas most organisations are going to obtain personal data are contract, legal obligation and consent.

If you obtain the data under consent, then there are four areas you need to consider:

1. Was the personal data obtained fairly?  – opt in
2. Did you fairly process the data?  – ie. use the data for the purpose for which you said you were collecting it.
3. Is there a legitimate interest? – is the data needed for your current business objectives.
4. How to retain and delete the data – how long will you keep the data, when and how will you delete the data.

Is GDPR trying to stop me conducting and growing my business?

No. The principles upon which GDPR are built are around building trust and encouraging greater use of online services.

Essentially GDPR is about good data management which may be a bit of pain and a drag on resources.to begin with. However, it will or at least should result in greater robustness, trust, use and reliance on data in your business. This will result in  data based decisions and better business for you.

Three Things to do Today to Get Started

So if you haven’t yet started or you want to check whether you have started in the right away then my top three tips are:

1. Identify and Clarify what Personal Data you have

This could take one page or several pages. On employee data you might have a soft and hard copy of their personal information eg:

1. Home address
2. Date of birth
3. Phone, email
4. Bank account details
5. Emergency contact details

And that might be it. All you have to do is the same for any other personal data. Wondering what other personal data you may have?  See ‘What is GDPR?’ above.

2. Set Data Retention Periods

All you do here is decide how long you are going to keep the personal data and the reason you need it to keep it for that period of time. For example; employee data will be kept for three years after an employee leaves to fulfil tax and employment purposes as well as to provide a reference to future employers.

3. Create Policy Documents around Data Retention, Use, Privacy and Access. 

In other words, how long we keep your data, how we use that data, our approach to protecting your data and how you can see what data we hold on you. Yes, you have to share this, you have to do it for free and you have to do it within 30 days after it is requested.

Under GDPR, the organisations that collect and retain personal data have to do the above or to put it another way organisations are now accountable to me personally for how they collect, manage and use my personal data, Oh yeah and there are significant fines of 4% of turnover or €20 million whichever is the greater for failing to do it!

Now while you should get legal advice about all of the above a good start may be to look and see what other companies in your industry,  are doing and see if you can develop  some ideas around your own approach.

Summary

GDPR is arriving on the 25^th of May. It brings extra work but in the medium and long term the potential for better controls, management and use of data within your organisation will help grow your business.   

For more contact GeoDirectory at info@geodirectory.ie

Other blogs that may be of interest:

If you found this blog interesting you may be interested in the folowing blogs from GeoDirectory:

Innovation: 

This blog looks at a high lvel of understanding of what exactly innovation is, what are the key areas and the paths to innovation  

Big Data. Handle with Care!:

Big Data, Big Data, Big Data.  This is a refrain which one hears with ever increasing frequency.  This blog looks at the Big Data issues from a cautios standpoint.

Connecting Big Data with Business:

Big Data is the new oil' This is a quote which is frequently heard, but what does it mean and how relvant is it in a business environment.

7 Golden Rules of Data Quality