fbpx

Blake Consultants

Helping Businesses Grow

GDPR – Things to Get Done Pretty Rapidly

By

Share the post "GDPR – Things to Get Done Pretty Rapidly"

  • Facebook
  • LinkedIn
  • Twitter
  • Email

Things to Get Done Pretty Rapidly

I think most of us will know by now that the GDPR came into play on 25th May 2018.

If you weren’t completely ready for GDPR, and given where you are today, what are the quick fixes that you need to do as a priority?

The GDPR is about putting data at the same level as other pillars of your work. For example, if you are a marketer, it’s putting the same planning and organising effort into data as you would into content creation or campaign strategy.

But for those of us who haven’t made any great inroads into unravelling the organic spaghetti that has developed into a data ‘strategy’, what are the tasks that we should be doing and how should we be prioritising?

  • Create a basic privacy policy.
  • Create a list of organisations that process your data.
  • Create a list of clients whose data you process.
  • Do a top-level review of your IT security.
  • Categorise your data processing segments so that you know what lawful reasons apply to you.
  • Act now if you have any consent processing segments which don’t conform to GDPR standards.
  • Create a generic ‘dataprivacy@’ email address and make sure people can easily find out about the address. Make sure you have someone who can quickly see and open the emails sent to that address.
  • Do a quick summary of what different pots of data you have.

Documents and templates to do all of this are in our GDPR Compliance Roadmap Toolkit

1      Don’t panic…

The GDPR is not here to stop business from doing business.

The GDPR has been created as a strategic framework for how the politicos believe organisations should use data. It is a bit nanny state, and the bureaucrats are trying to create structures that will work for the average organisation (and none of us is ‘average’), but with so much abuse of data, and with so many different interpretations of what is acceptable across the EU, it is understandable that the politicians are trying to organise things.

The key thing with GDPR is to make a start, and then make sure that you have a documented plan to finish things off.

If you are handling sensitive data (there is a specific definition of that under the GDPR), or criminal records data, or are processing large volumes of data regularly, then you should dedicate more effort to getting this sorted asap.

There are various tools available to help you with the areas we cover, and please let us know if you would like us to support you in doing this.

2      Privacy policy

Probably the highest priority is to create a basic privacy policy and publish it.

Plan time to extend and improve the policy, documenting when you do this and what you have done.

What you are aiming for here is a way to transparently convey to someone whose data you hold, what you are doing with their data, and why.

3      Processor agreements

The GDPR says that anyone who processes someone else’s data needs to have a contract in place – a processor agreement.

Note: processing is anything that relates to personal data – even just storing data. If you use OneDrive to store data, Microsoft is a data processor for your data.

3.1    Data processing that you outsource

  • Create a list of organisations that process your data.
  • Check which of these have already covered off the requirement to have a data processing agreement.
  • For those that haven’t:
    • Create a template processor agreement.
    • Fill in with your data processors details.
    • Schedule when you want to get an agreement signed with them.

3.2    Data processing that you do for your clients

It’s not only the organisations that process your data that should have a contract; the organisations that you process data for (if any) should have a contract signed with you too.

  • Create a list of organisations that you process data for.
  • Check which of these have already covered off the requirement to have a data processing agreement with you.
  • For those that don’t and don’t have plans for an agreement:
    • Approach to see if they have a plan to roll this out.
    • If they don’t, create a template processor agreement.
    • Fill out with their details, and send it out and chase it up, if necessary, over next couple of months.

4      IT Security

Having a strategy and plan for your IT and improving it is very helpful in gaining IT compliance.

A knowledge of your IT strengths and weaknesses is important in managing and safeguarding data against data breaches.

  • Use a checklist to see what IT security you have in place.
  • Identify gaps and plan and document what you will do to overcome the gaps and when.

5      Processing segments

A data processing segment is a group of data subjects whose data you treat in a single logical way. For example, you process your employee’s payroll, that’s one segment, you market to your prospects, that’s another.

  • Identify your discrete data processing segments and document what these are.
  • For each segment, work out what lawful reason (there are 6, of which only 4 are usually relevant to commercial organisations) you are using to process the data.

Each of the lawful reasons carries different obligations.

5.1    Legitimate interests

Once you know you are processing a segment using ‘legitimate interests’, make sure that you schedule a task to document legitimate interest tests:

  1. The tests feed into how you should be considering data as a strategic framework, and
  2. If the ICO visit, they will want to see the documentation that you have created.

We don’t mention the ICO to scare you or create FUD because, unless you are doing something deliberately provocative, a visit is not likely.  The priority should be in feeding this into a strategic framework, which probably means that your other commercial interests might take an initially higher priority than documenting the results of your legitimate interests tests.

5.2    Consent

If you decide that any specific segment needs to be processed using ‘consent’, check if the consent that you have already gathered conforms to the new GDPR standards.

  • If the opt ins that have been gathered align to the new standards, you are fine. You will need to re-capture consent, but best practice is that this needs to be done 2 years from the last time that consent was gathered.
  • If the consent doesn’t conform to the new GDPR standards, or you don’t have consent, then in theory you should obtain the consent.

However, now is possibly not a good time to do this. Normal opt in rates are between 1 to 5% if you haven’t ‘touched’ contacts before. Even if the contacts are already opted in and you’re trying to update the consent, any opt in rates are going to be considerably down on ‘normal’ right now because everyone and their mother is trying to gather consent and get you to opt in to their lists.

So, what should you do?

If you’re marketing to consumers and have realised you need to opt them in to marketing, (or sole traders or partnerships), then in theory, (according to PECR), you should have been using opt in marketing before 25 May.  If you don’t have consent to market to them now, and you didn’t get consent before 25th May, you won’t be acting any more or less legally.

If you have consent which doesn’t meet the new standards, our advice might be to consider going with the consent levels you have today and start to gather a better standard consent when the GDPR dust has settled a bit. You won’t be GDPR conformant but you will probably have happier recipients. You need to look at what the risk is of a given strategy.

We recommend that you find time to think about things calmly rather than rushing into a knee-jerk reaction. There will be a way to do what you need to do.

6      Data subject rights

A major thing about the GDPR is the more rigorous ability for data subjects to get to their data, get you to change it, or get you to delete it.

You need a process to be able to do that.

  • A quick fix to allow them to do that would be to set up a generic ‘dataprivacy@’ email address and give everyone a link on your website (privacy policy) to this email address if they want to exercise their rights.
  • This email would need to be easily and quickly received and processed by someone, as you need to react to and fulfil a ‘request’ (actually a demand) within 30 days.
  • Make sure that you schedule and plan time to work out a more sophisticated way to help exercise user rights.

7      Data mapping

Create a top-level map of the data sources that you use so that you know where the data for customers, prospects, suppliers and employee data is held.

  • This will enable you to respond to any data subject requests or data breaches until you have a more robust process in place.
  • Schedule time to create a process to deal with data breaches.

If a data breach happens in the meantime, or a data subject request comes in, it will take you quite a bit of time to process and complete as you will need to investigate the different data sources and check each of them for the data subject’s details. You have 30 days to react to a data subject exercising rights (but only 72 hours to react to a data breach), and if you get a data subject exercising any of their rights, or if a data breach happens, note down what you are doing as you do it so that you can create an efficient process.

The big thing here is making sure that you’re thinking of all the different places where the data subject’s personal data will be (for exercising of rights).

8      Strategic documentation

Schedule strategic documentation for later – no hurry to do it now, just be sure you have a documented plan of what you will do and when.

You should consider data protection impact assessments here.

9      Overview

A few elements that you should have had in place before 25th May and, if you didn’t, shouldn’t delay any further:

9.1    Now

  • Create a basic privacy policy.
  • Create a list of organisations that process your data.
  • Create a list of clients whose data you process.
  • Do a top-level review of your IT security.
  • Categorise your data processing segments so that you know what lawful reasons you are using.
  • Do something if you have any consent processing segments which don’t conform to GDPR standards.
  • Create a generic ‘dataprivacy@’ email address and make sure people can easily find the address. Make sure you have someone who can quickly see and open the emails sent to that address.
  • Do a quick summary of what different pots of data you have.

9.2    To do – longer term

In the longer term, you will need to flesh out, document and extend the areas covered as and when you can, given your business priorities. Don’t just ignore GDPR as it’s not going to go away.

Things to do include:

  • Privacy policies and facilitating the data subject’s right to be informed.
  • Ensuring that you have processor agreements with your clients and processors.
  • Get your IT security up to scratch.
  • Work out and document the lawful reasons you use for processing your data.
  • Create a smooth process to allow data subjects to exercise their rights.
  • Make sure you can track and respond to a data breach.
  • Put strategic documentation in place and keep it up to date.

Call us on 01635 592020 to discuss your GDPR Compliance Journey or contact us by email

Documents and templates to do all of this are in our GDPR Compliance Roadmap Toolkit

Join our Lifting the Lid Off GDPR and receive a series of de-mystifying GDPR emails which bust some of the common myths about the new law.

 

We are Julia Blake and Andrew Roberts and we have 35 years of Data Management and Data Protection experience between us – we take a pragmatic approach to Data Legislation.

 

Share the post "GDPR – Things to Get Done Pretty Rapidly"

  • Facebook
  • LinkedIn
  • Twitter
  • Email

We're currently offering a complimentary initial meeting to review your business. To access this offer please get in touch.

Contact Us

%d bloggers like this: