GDPR is coming - are you prepared?

For anyone who knows about the new regulations coming into force on the 25th May 2018, you should have started your journey to implement change and working your way towards compliance. If you haven't heard of it then you will need to get some guidance and advice quick.

I have previously written a post about GDPR and in case you missed it, here it is again.

The way we handle data is changing

One significant change is that all websites must have a visible Data Protection Policy and Privacy Policy.

The way information is stored now must be clear and concise. If the website has a contact option, then it must state clearly and in simple terms what the data will be used for and cannot be used outside of these remits.

Below I have highlighted key points to be aware of but the ICO are constantly changing their live document, so it is worth keeping an eye out on their site. The goal posts change regularly.

Be sure to check out the Information Commissioner Office website ico.org.uk for up to date information.

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.

There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.

Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent.

Public authorities and employers will need to take care to ensure that consent is freely given.

Consent must be verifiable, and individuals generally have more rights where you rely on consent to process their data.

Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR.

But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.

If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Good practice has always been that you include Opt-Out requests on all email communications and a double Opt-In system. But now you have a legal obligation to comply with these requests.

There must be explicit consent given to marketing communications – you can’t have pre-ticked boxes or assumed consent.

People have to know who will have access to that data, and what they are signing up for. This should be covered by your policies.

For your own business, it is important to audit your processes and prepare.

Be prepared for the change. This PDF on preparing on the GDPR highlights 12 steps you should be taking now. Don’t get caught out.

There are many online tools that can help you understand so don't leave it until the last minute, start your journey now and start looking at the way you handle data, why you handle it and make sure that you have steps and processes in place should you ever face a data breach.

Which, hopefully, will not be the case and if you need further guidance then get in touch, I can point you in the right direction.