There’s just a couple of days to go until the new data protection laws of GDPR come into effect on 25th May 2018. As an individual leading their portfolio career, now is the time to make sure all your time-sensitive plans are well under-way. The full GDPR documentation contains 99 articles across 200 pages, and a couple of days perhaps are not enough to cut through the noise to identify the priorities you need to action. If you are still working out what to prioritise for GDPR compliance, this article will help you outline the key steps to action before Friday 25th May so you can be as ready as possible for GDPR.
Check and document what data you hold
Knowing what data you have and why you have it is the most vital step in adhering to the new data protection laws. You should complete a list of all the personal data you hold, your intentions with it and the justification you have for keeping it. According to the GDPR legislation, there are six different justifications for holding onto someone's data. This could be a legitimate interest, contact, public task, consent, legal obligation or vital interest.
As a Consultant, this could be the personal data of any customers, past or present, prospects or suppliers you’ve used for a service. The information you hold can range from someone’s name, their email address, contact number or addresses. The GDPR legislation makes it clear that you should only hold onto as much data as you need to complete business processes and dispose of it correctly when no longer needed.
Check your data is compliant
GDPR requires all databases to be compliant. Any existing databases you are storing, including a CRM, which contains personal data should be checked thoroughly. You must review the opt-in consent that was issued to your databases initially and confirm if this is still compatible with the laws of the GDPR. Any prospect or customer you contact under GDPR must actively confirm their consent, such as the contactee actively ticking a box to confirm they’re open to receiving content from you. Unclear or leading actions of consent are not valid according to the GDPR legislation such as response silence, pre-ticked boxes or inactivity.
In the event that your existing consent isn't sufficient and you have no other basis for the lawful holding of such data, you will have to contact every individual in the database to seek their consent. If you can’t confirm receipt of specific consent from the ways you’d like to process the data then that individual’s data must be removed. In actioning these requirements, you may see your sales and marketing data reduced, but whilst your list may shrink, you will ultimately have a database full of prospects and customers that are likely to be more valuable to you.
Make sure you have a security plan in place
Under new GDPR legislation, there are extra responsibilities on you to prove that you are processing personal information securely, with appropriate measures in place to protect it. Significant data breaches need to be reported immediately to the ICO and to the individuals affected. Should the worst happen and you experience a personal data breach, you should make sure you have the right procedures to enact immediate damage limitation via detection, investigation and the reporting of the data breach.
Security must be built into the software and systems that any personal data passes through, such as anti-virus technologies, and documented standards and practices created to minimise the scale of the attack. Keep on top of any system updates and where possible, run the latest version of any operating system because they are more likely to have the latest security patches. Look into measures such data encryption. Even if you handle minimal volumes of personal data, an effective encryption solution will assure appropriate protection of the key data in transit.
Want to gain access to exclusive articles just like this one? Click here to become a member of The Consultant Hub.