Five ways to prepare for the GDPR
Five ways to prepare your business website for the new Euro-regulations on data protection
It’s the GDPR we’re talking about here. The General Data Protection Regulation of the European Union. The legislation has been enacted in the European Parliament in Strasbourg, and the Regulation comes into force next year, in May. Believe it or not, you must prepare for the GDPR or you’ll put your business at risk.
You may not know it yet, but if you have a website and have any dealings with European citizens or nations, this 250-odd page law will impact you. No question. It’s a major update to the previous Regulation, which goes all the way back to 1995 and was called the data protection directive (officially Directive 95/46/EC).
No one disagrees that an update is long overdue. 1995 was 19 long technological years ago, and so much has happened in the world of communication and data in the interim. Compared to connectivity now, 1995 might as well have been medieval times.
So the question is, how can you prepare for the GDPR before it hits in 2018? You may say ‘there’s no need to think about that now’. But when you are told that negligent failure to protect your clients’ data can result in a fine of up to four percent of your annual turnover, you’re going to sit up and listen good, right? The law itself says that fines should be ‘effective, proportionate, and dissuasive’. Note that last word well.
Then, when you hear that any EU citizen has the right to know how their data is being used, you’ll prick up your ears.
Finally, when you’re informed that any EU citizen can demand that their data be erased permanently from your systems, you’ll raise both eyebrows.
You’ll need to make yourself more familiar with the GDPR as time goes on, but for now here are five immediate things you can get your teeth into that will kick the process off. Granted, some of the solutions will vary slightly depending on the size of your organization, but the general principles stand clear.
Here’s how to Prepare for the GDPR
1. Get someone on it who knows what they’re doing.
A key requirement of the GDPR is that businesses which hold large amounts of data about customers or individuals must have an employee designated as a data manager whose role should be to ensure the security of your clients’ data. The same person may also be responsible for responding to customer inquiries about their data. Whatever size your organization is (and it doesn’t have to be a business, the same rules apply to any concern that handles personal data, such as charities), you’d be well advised to have a data manager who knows what they’re doing and who has your back.
2. Security, security, security.
It is impossible to overstate how important data security is. Just think of the disastrous breaches that occur on a regular basis and ask yourself: do you want to go through that PR hell? The fact is, if you’re an SME, a serious data breach at your business could put you out of business. 60 percent of SMEs who’ve suffered a serious hack go out of business within six months. So it’s not just your reputation that is at stake, but your livelihood itself. Security is one area where you should be investing, considering the current ubiquity of nasty little irritations such as ransomware.
One way forward that shouldn’t be too pricey is to get a professional security audit of your company’s systems and data. The reason you need to do this yourself is that you can’t rely on your hosting company or server owner to do the work for you.
Get all the basics right, too. Many of them are pretty commonsensical, such as ensuring you change your passwords every month, being wary of USB sticks, files, and discs from unknown sources, and tightly restricting the cohort of employees with access to the network.
3. Get responsive in as many ways as you can.
One of the provisions in the GDPR states that customer or client inquiries about the data your organization holds must be dealt with in a timely manner. It’s not going to be good enough to have a bot reply with a pre-determined menu of FAQs. You need to be paying attention to what your customers are asking you.
Here’s what the regulation says:
‘The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month.’
That’ll mean things such as managing your social media accounts properly by monitoring and responding to posts or queries, and answering emails from customers in good time. The best companies now have secure email inquiry addresses and commit to responding to your question within 24 hours, which is a reasonable time frame.
However you manage it, someone needs to be on top of it at all times, and your website should have clear directions as to how your company or organization can be contacted.
4. Get a GDPR audit.
Of course, this is the twenty-first century, and we’re in a world where should a need arise, someone will try to offer that service to you for a fee. And lo, the need arises for a GDPR audit of your data and online presence. So yes, there are thousands of companies out there offering you that very service.
Which one you pick is up to you, but research well and don’t necessarily go for the cheapest option. What the audit should provide you with is a checklist of things you need to get sorted before you’re GDPR-compliant.
5. Audit the data you hold.
Ignorance is not an excuse when it comes to breaches of the GDPR. That’s why it’s crucial to do two things well before it comes into force. First, you have to brief your employees or associates on the fact that the GDPR is coming into force, and how that impacts the way you handle the data your organization holds on members of the public.
Secondly, and most importantly, you need to audit all the data you actually hold, who you share that data with, and where that data came from. That way you can plug leaks if need be, let your customers know how their data is being used, and rectify errors to which your customers alert you.
Forewarned is forearmed, they say. There are few things that are truer about than the GDPR. Be sure you prepare for the GDPR before it takes effect!
We’ll be writing more about ways to prepare for the GDPR very soon. Enter your email address and first name below so you never miss an article. We’ll let you know every time we post something new.