GDPR has been cause for discussion in many companies. That is why we compiled a list of things you should do now to make sure that you’re ready for May 25th.
- Consult different sources to make sure you understand what GDPR entails and what you have to do to be compliant. You can consult our more elaborate articles here.
- Make sure that everyone in the company is aware of the situation. It’s not just the responsibility of one department. It’s a team effort. You could organize a workshop to make sure that everyone is clear on what you expect from them.
- Appoint a key figure that has an overall view of the situation. He or she will determine what needs to happen within the company.
- Examine what data you keep, for how long, where it comes from and who you share it with.
- Build a database. As of May 25th you are obligated to report a data breach within 72 hours of discovery to the authorities and the person who’s data was leaked.
3. Update your documents
Consent is a key point of the new law. The purpose of GDPR is to protect EU-citizens. That is why consent has to be given freely, specific, informed and actively. For example you can’t check any boxes in advance anymore. The client has to check the box himself to, for example, receive a newsletter. If the client is a minor, permission has to be granted by a parent or guardian.
5. Be clear
One of the biggest problems and reasons for the introduction of the GDPR law is that people would like to know how their personal information is processed. They want more transparency and that is exactly what this new law will give them. As of may 25th you have to clearly indicate:
- What their personal info is being used for.
- How long you’re going to keep it.
- If you’re going to exchange it.
- If you’re going to exchange it outside the EU?
6. What is the customer entitled to?
Customers have a right to:
- information and access.
- Be forgotten
- Object against direct marketing practices, profiling and automated individual decision-making
- Transfer their personal data between controllers
These request will be mandatory starting may 25th 2018. Make sure there are procedures in place to deal with these questions.
7. Should i appoint a Data Protection Officer?
Only government institutions or companies that process data of a private nature on a large scale (e.g. direct marketing firms) are obligated to appoint a DPO. You can appoint an external consultant or someone in house. This person carries the title prevention advisor for privacy.
Keep these guidelines in mind and you will be well on your way to making an opportunity out of GDPR as apposed to a problem.