Blog

Filled with information that will help you understand IT and technology a little better.

Three GDPR questions you need to answer

Last week, the biggest shake up to data protection laws in 20 years, the General Data Protection Regulation (GDPR), came into force across the European Union. The law is a major overhaul to how organisations can store, secure and manage their customers’ data.

If you find that your organisation isn’t prepared for these changes, don’t panic just yet. The Regulation is being overseen by the Information Commissioner’s Office (ICO) in the UK, and they have consistently stated that they are looking to see ‘commitment, not perfection’ when it comes to adhering to the requirements.

That being said, there is plenty you need to be achieving, sooner rather than later, in order to comply with GDPR.

Have you updated your policies and procedures?

Make users aware of what information you store on them and for what purpose. Clearly outline this information in plain, easy-to-digest English, and this information needs to be in your Privacy Policy and Terms and Conditions, accessible through your website. Update these documents, inform your customers of the changes you’ve made and, most importantly, adhere to what you’ve committed to in these policies.

Are your processing agreements up-to-date?

Say you use a supplier to carry out some of your business operations – this includes anyone from your payroll software to your marketing agency or IT partner, like ourselves – you need to ensure that they have adequate data protection agreements between you. This means updating the agreements you have in place. We can’t stress how important this is; if data is mismanaged because of a lapse in agreements, the ICO will take this as a direct violation of the GDPR’s requirements.

 Can you identify all of the customer data you have on record?

As part of the GDPR, you need to be able to identify and supply the data you hold on a particular customer, should they request it. This is known as a Subject Access Request and should include everything from their personal information to any activity (orders, purchases, card data) on record, as well as when the consent to send them marketing emails was granted. It’s a huge task and you must be able to supply this within 30 days. Can your systems and staff cope if multiple requests were simultaneously made?

While the ICO says that it’s looking for a commitment from organisations, it isn’t messing about when it comes to non-compliance; the government body has every intention of fining 4% of your company’s annual turnover or €20 million for failure to comply. Therefore, it is imperative that you start, if not complete, your GDPR compliance journey now.

We have collated a number of useful resources, as well as benchmarking tools and how GDPR affects different business functions here.