The new General Data Protection Regulation (GDPR) will put strict new responsibilities on all businesses handling people’s data. The changes, which come into force on 25 May, are accompanied by significant new fines for those infringing consumers’ rights, amounting to as much as 4% of turnover.
But for businesses grappling with GDPR, help is at hand. Christine Andrews of the DQM GRC consultancy, gave CGA’s 2020 Conference a quickfire guide to the new obligations and what to do about them—and you can watch her full presentation now. Here are seven of her key messages.
1. Understand your gaps
An audit of data processes against the requirements of GDPR will help identify what action needs to be taken. Firms should be especially clear on their legal bases for processing data. As Andrews pointed out: “The bar for consent is being raised much higher by GDPR.”
2. Map your data flows
Businesses need to show they have close control of their data—so document where it is coming from, what it comprises, how it is stored and where it goes. “This is one way of being very demonstrable—showing that you know all about the data you have about your customers,” said Andrews.
3. Check your policies
Review your data protection, retention, privacy and other policies against GDPR. Be sure you can show how you comply with the policies too. “It’s about getting data protection and privacy into the DNA of the organization.”
4. Understand the new rights
GDPR gives people new rights to access, restrict or erase the data that is held about them. Be ready to respond when anyone requests their data or asks for it to be deleted.
5. Review your security
Be certain and transparent on how you keep customers’ data secure—and know what to do if you ever suffer a breach. “When the proverbial hits the fan… you need to have a response planned,” Andrews said.
6. Look at third parties too
Data protection needs to go beyond the confines of a business. Firms need to be clear about what their partners are doing with their data, and what security measures those businesses have in place.
7. Train your staff
It’s not enough for one or two people to be clear on data policies—all staff need to have at least some knowledge of what is required of them. “It doesn’t have to cost the earth, but do make sure your staff are trained,” said Andrews.