10 August 2016 16:00
5 steps to get your business ready for new data protection rules
The new General Data Protection Regulation (GDPR) is due to be implemented into national law by 2018. Corporate and Commercial lawyer Kirsty McAuley of Coodes Solicitors gives her top 5 tips to get your business ready.
1. Review how you hold data now
A good starting
point is reviewing how you currently hold and manage data. This could be
personal information on customers, clients or other contacts. Do you understand
how this data is held, who can access it and whether or not it is shared with
other companies? Understanding how you currently manage data will be vital to
ensuring you make the necessary changes to comply with the new regulation.
Build in regular reviews and delete old and unnecessary data.
2. Understand the difference between opting in and
Under the GDPR,
people will generally need to ‘opt in’ rather than ‘opt out’ of receiving
information from you or third parties. At the moment, for example, some
businesses invite customers to tick a box (opt out) if they do not want to
receive further information and some online forms include pre-ticked boxes,
which need to be unticked. This will no longer be possible when the new
regulation comes into force. Now is a good time to start looking at how people
currently sign up to receive information from your business and incorporate a
positive ‘opt in’ procedure.
3. Set up processes for managing data breaches
regulation sets out stricter terms for how a business needs to respond when
sensitive or confidential data is accessed by an unauthorised person –
accidentally or otherwise. Under the GDPR, businesses must report any data
breaches to the Government body responsible for data protection (the ICO) as
well as to the individual affected. It will be far easier to manage any
breaches if systems are in place to identify when these occur.
4. Work out how to handle data access requests
A key element of
the new regulation is that individuals should have the right to access their
own data, for free and within a shorter timescale than is currently permitted. It
will also allow people to exercise more rights around their data, including an
expansion on the right of an individual to be forgotten. Businesses should
therefore review how they currently manage any data access requests and consider
how they can handle them more quickly and efficiently in the future.
5. Get your teams on board
The success of
any business in meeting the new requirements will be dependent on people across
the business understanding the changes. Your business may be under a
requirement to appoint a data protection officer and so it is best to look at
this sooner rather than later. Although the exact form of the national law is
not yet know, it would be wise to start awareness raising as soon as possible.
Consider who the key people are – particularly at a senior level – who will
need to have an understanding of the GDPR and work out what information they
need. You can then put a training and communications plan in place.
For advice on preparing
your business for the GDPR please contact Kirsty McAuley at Coodes
Solicitors on 01326 318900 or firstname.lastname@example.org. www.coodes.co.uk