Julia Seary
General Data Protection Regulation (GDPR) is key subject for businesses at the moment, but what does it actually mean and how ready are businesses? Julia Seary, company commercial partner at Roythornes Solicitors, shares her top tips for approaching GDPR.
I recently held a seminar on GDPR and it was one of Roythornes’ most well-attended events of the year. A recent survey, which evaluated businesses’ approach to, and compliance with, the implementation of GDPR on 25 May 2018, revealed as little as seven percent of those asked felt very prepared. Whilst a small majority felt somewhat ready, at least 25% did not feel ready at all or were not even aware of this new piece of regulation.
Each business and industry has different ‘pain points’ with the introduction of the GDPR and so it is worth doing your research to see what will most affect you and how you can ensure that you remain compliant going forwards. However, notwithstanding any industry sector distinctions, my three top tips would be:
- Nominate a GDPR lead or Data Processing Officer (DPO)
Having a person to front the initiative will be very important when the regulation comes into force in May. All staff must be adequately briefed, but one person leading on GDPR will ensure that the regulation is given the necessary priority and compliance is achieved from the outset.
- Carry out a data mapping review
This will help to inform the business what data you hold, what legal basis is being relied on to process such data and where it has come from. This is also a good time to review and update your procedures and refresh any consents if necessary.
- Update your customer facing privacy notices
This step is essential due to the fact that businesses must now ensure that customers are informed as to exactly what you intend to do with their data. Take this time to also remove any pre-ticked consent boxes and replace them with opt-in boxes.
The take-home message is that you must have a lawful basis to process individuals’ data – most likely explicit consent or legitimate business requirements. Whether in regard to marketing activities, ensuring IT security, managing customer relationships, storing employee data or data transfer, the core principles of data protection will remain but with tighter controls.
