There’s just one week until new EU legislation on data privacy takes effect on May 25th. This new legislation holds marketers and data processors accountable for increased data security, privacy, and transparency. It’s also important to note that the law applies to any company that stores data on and targets citizens of the EU, regardless of where your company is located.
As the deadline approaches, here are some key questions you can ask yourself to determine if you are GDPR compliance ready:
Have You Conducted a Data Audit?
The first step to a GDPR compliance plan is an exhaustive review of your data. A data audit should include mapping out what personal data your business collects, where it comes from, and how it is being processed. Regular data audits and exercises should also be regularly conducted after GDPR takes effect. When auditing your data, be sure to find out the following questions:
- How do you collect your data?
- Where is it stored?
- Who are the key people in your organization responsible for this data?
- What are the reasons behind the data you store?
- Is there any third party data? If so, what are their processes and have you updated your contracts with them?
- How long is data being held for?
- Is it necessary to continue storing the data?
Have You Established Your Breach Response Plan?
Under GDPR data controllers are obligated to notify the relevant national supervisory authority within 72 hours when there is a personal data breach. A data breach can be defined as any situation where an outside entity gains access to personal data without the express permission of the individual. Data processors will also have to notify their customers of the breach. Personal data can be interpreted as anything that could be personally identifiable such as name, id number, user ids, or online identifiers.
So what happens when there is a breach in your security? Do you have a game plan? If not, it’s time to implement an incident response program. Make sure you discuss what constitutes a data breach with all your employees. It only takes one oversight to be noncompliant.
Have You Updated Your Privacy Policy?
GDPR stipulates that your privacy policy be written in “concise, transparent, intelligible and easily accessible, using clear and plain language. In the past, privacy policies could be purposefully obscure so consent could be argued. This will no longer fly. If you look in your inbox, you are likely to see many new “update to privacy policy” emails from big brands that have been sent out recently.
Have You Reviewed How You Obtain Consent ?
Under GDPR, organizations are obligated to demonstrate that their data subject provided their consent unless they have other lawful grounds for collecting their data. The consent needs to be provided through an affirmative act. A pre-clicked checkbox, for example will no longer suffice.
Does everyone realize how severe the consequences of GDPR noncompliance are?
Fines for non-compliance with GDPR can be up to €20,000,000 or 4% of annual global revenue, whichever is highest. Companies should communicate the severity of these consequences clearly to their employees and develop a comprehensive training program to help them understand how to avoid them.
Language regarding the protection of data can also be included in organizational documents such as the code of conduct and training manuals. Contact your HR department and find out where you can include it.
Do You Need to Appoint a Data Processing Officer?
If your company stores enough data that it warrants regular and systemic monitoring, or if your company stores sensitive data such as criminal offences, health or religious beliefs you are required to appoint a DPO. Again, this data only applies if those data subjects who are in the EU.
If you need assistance with moving towards GDPR compliance, BMGcreative has reasonably priced, personalized packages for companies of all sizes.
Disclaimer: Do not rely on this article as legal advice. Please consult an attorney to verify the interpretation of the law and how it applies to your circumstances.