By now, most of us are - or at least should be - au fait with the challenging but necessary changes GDPR compliance requires of us professionally. We must adhere to these stipulations at an individual level right through to company-wide implementation. Are you ready for the legislation to come into effect? Regulation enforcement will be tight but is also considerate of the huge undertaking and overhaul some companies are facing, so even if you’re not 100% on the launch date, if you’ve made good progress you should be relatively safe. The message from Elizabeth Denham of ICO is clear: do not let any more time pass, and ensure you’re either GDPR ready or ideally, fully completed the necessary changes in the organisation you represent. GDPR must be on your board agenda and that evidence can be shown to confirm this. We know this is a complicated process, so we’ve put together a checklist covering some of the key points you’ll need to navigate over the upcoming weeks:
Review and document the data you hold
A key proponent of the introduction of the GDPR legislation is to analyse what data you already control, why your company is in possession of it and whether it is appropriate for the company to be storing it moving forward. This process should include the processing and listing of all personal data you hold, noting the company’s intentions of use for each entry and what justification you have in terms of keeping it. There are six justifications that could validate this: an indication of legitimate interest from the party to be contacted, necessity of contact (as an example, reflecting purchases and necessary documentation such as invoices), explicit consent given, legal obligation, with the final two vital interest and public task being the need to contact based on highly important information or process.
Examples of this data may be regarding a past, present or prospective customer or supplier: perhaps their name, their email address, telephone contact number or mailing address. It has been indicated that you must only continue to hold such data as needed to complete the relevant business processes and must be deleted securely when no longer needed. It is also worthwhile noting that this does not extend to demographics - any anonymous analytical data can safely be stored without application of these concerns, provided it is truly anonymous and does not carry any contact information or data.
The storage facilities employed by your company should be considered against the correct management of preference and consent data in correlation to personal data records, facilitating access and ability to evidence the user’s preferences such as opt-in and communication channel options. It’s also highly important to ensure that these are completed through clear and transparent means and not by use of unclear or leading actions of consent which will not be considered valid. These could include pre-ticked boxes or no response - anything which does not reflect the user’s true intentions as they have been seemingly coerced, potentially incentivised or not properly informed of the implications or what they are consenting to.
Should you find that your existing consent isn’t sufficient evidence nor have any other basis for the lawful holding of such data (compare against the legitimate interests mentioned earlier) you’ll need to contact each respective user and inquire as to their consent status. Without receipt of this confirmation, the relevant records must be removed, ensuring all security protocols of deletion are followed. The additional benefit of this is that whilst your mailing lists may reduce temporarily, your remaining contacts should show higher levels of engagement and in turn, conversion.
GDPR highlights further responsibilities required, thereby defining the need for these issues to be on your board agenda. From processing through to storage, appropriate measures must be in place to protect the data. Any significant data breach must be immediately reported to the ICO and relayed to the individuals affected. Should a personal data breach occur, damage limitation must be enacted immediately with procedures dictating detection, investigation and reporting of the breach previously defined in preparation for this potential (but generally avoidable) situation.
Technical security must be re-focused, ensuring that appropriate measures are integrated into the software, computer systems and networks that any of the personal data you store is accessed via or passes through. On top of such anti-virus and anti-malware technology, standards, practises and procedures must be created and documented to attempt to mitigate and to minimise any potential risk. It’s also highly important to ensure IT systems are kept up-to-date and technical updates and scans are carried out regularly. Ensure you navigate possible vulnerabilities by replenishing your tech stock with new equipment as required - often we see older technology has weak points that can be taken advantage of using newer and more sophisticated computers and operating systems; at the very least make sure your technology department is enabling the latest security patches and updates.
Data encryption should also be employed where appropriate, and again think about where and over what internet connections your internal servers are accessed from - does anybody work remotely, or access from outside the offices? Even with minimal volumes of personal data, effective encryption solutions assure the necessary protection of key data in transit.
It is easy to get swamped with vast amounts of information surrounding GDPR compliance, so we’re making sure we give it to you straight, making it clearer and more concise. At current, absolute compliance is not fully defined, so it’s important to keep checking back for regular updates that help you to ensure you’re operating under best practices and bringing the most important and time-sensitive subjects to the table in the boardroom.
To keep up to date with articles just like this one, click here to become a member of Non-Executive Directors today, keep in the loop and access a wealth of resources.