‘What’s GDPR?’ I hear a man say at a networking event I’m attending.
I’m curious to know whether the gentleman is being ignorant, joking with the lady he is talking to, or whether he doesn’t receive anywhere near the amount of emails that I do on GDPR related topics!
It turns out he did know about GDPR, but didn’t understand the ins and outs and certainly not the process companies need to go through to start complying with the new regulation.
The General Data Protection Regulation (GDPR) comes into force on May 25th and the preparations for most businesses have been ongoing for a while now. Most of the information I receive – both good and bad – largely concerns the main question – ‘are you’re ready!?’ Unfortunately, GDPR isn’t a one size fits all regulation, the truth of the matter is that no business will be completely ready and compliant from the word go. GDPR certainly applies to all businesses that collects, holds and communicates with personal data subjects within the EU. Personal data is any data that is (or could be) associated with a specific data subject, so that’s names, age, job titles, etc. Sensitive data is also considered personal data, though relates more to a subject’s personal life, for example; sexual orientation; religious or political views, medical history, etc.
The complexities of getting ready for GDPR and the processes required will often be dependent on your existing business structure; the sector you operate in and the types of data and the amount of data you hold.
For example, if you’re a company and hold huge amounts of data both sensitive and personal, such as an insurance company, you may be more inclined to start focusing on how you store transfer and erase data securely. This concerns Articles 16 to 20 of the GDPR, concerning the right to erasure, rights to data portability and to rectification.
However, if you are a company who heavily relies on marketing for yourselves or others, your focus should be on Articles 5 to 11, which highlights the importance around the processing of data and how you gain consent.
Under GDPR, explicit, informed consent must be obtained before collecting a person’s data. You must inform your data subjects of you’re going to use their information for and how you’re going to communicate with them. Article 7 of the General Data Protection Regulation (GDPR) defines specific conditions must be met for consent to be considered valid. There can be multiple versions of data subjects’ consent that must be documented and demonstrable. Consent requests must be clearly explained and in plain language. And, the data subject must be able to easily withdraw consent.
Unfortunately, a lot of the information which I receive on a daily basis seems to be scare-mongering and selling consultancy services – lots of talk, no real action!
There is some great information and resources available which provide free advice and excellent information about GDPR and the different Articles to consider. The ICO is the obvious place to start https://ico.org.uk
As GDPR Practitioners, we are often asked where to start. As GDPR is such a big topic, covering 11 Chapters, 99 Articles and 173 Recitals you can understand why businesses are panicking and putting a huge amount of pressure on themselves to start putting processes in place!
Our advice is to step back, assess the business, its functions and its requirements – then prioritise! Categorising the requirements with the chapters and articles is often a good start, it will allow you to start identifying the gaps within your business and put an action plan in place to deliver against. Many businesses we have spoken to have created a small GDPR task force within the organisation, to help deliver against the plan.
By all means, seek legal advice, but we would recommend to work with a data specialist first, formulate the processes and then gain legal advice if required.