The General Data Protection Regulation (GDPR) becomes law on May 25th, 2018. Inextricably linked to the new Data Protection Bill announced in September, it should also be joined by new ePrivacy regulation, scheduled to come into force at the same time; the details for this have yet to be announced!
There are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. Too many for this article but here are some tips and insights to help you gear up for the changes ahead.
Consumers will have new rights in respect of their data. These will include a right of access and a right of data portability, to facilitate a switch in supplier. Customers will have the right to be forgotten. In the case of the latter, now is the time to check your database and securely delete those customers who have had no contact with your business for an extended time. Having looked at a number of databases the impact here might be significant, but what will be left is a more accurate database.
Ensure business leaders and customer-facing staff are aware of GDPR, how it will affect your business, the role they play and the processes and controls that must be followed to comply.
You should document what personal data you hold as a business, where it came from and who you share it with. You may need to organise an information audit.
You need to be transparent about your use of data with the customer and ensure they are aware of any organisation (by name) with whom data will be shared. The most suitable way to do this is through a concise, transparent, and plain English privacy notice.
You should review how you seek, record and manage customers’ consent to use/record their data and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
If you rent customer lists for direct marketing, it is your business that will be responsible for ensuring consent has been given by the consumer. This could be very hard to prove.
You need to distinguish whether as a business you are a data processor or a data controller or both. It’s of high importance to know this as you have certain obligations under the GDPR regulations. If you have a company that processes the data on your behalf but you control the data you need to ask them what measures they are putting into play to minimise the risk of data loss and breach.
You need processes in place to detect report and handle a data breach and you must notify the ICO within 72 hours of the data breach.
We hope you find this guidance useful if you work with Codeweavers and you would like information on how Codeweavers are gearing up for GDPR please email us on: firstname.lastname@example.org.