GDPR is coming - but are you ready?

By: Luke Barlow

Date: 9 October 2017

GDPR is coming - but are you ready?Data breaches and customer information leaks seem to be in the news almost every day. Whether it's Yahoo getting hacked or the personal data of over 140 million Americans being stolen from Equifax, these breaches have a profound effect on anyone impacted.

It's not just data breaches - we all have a duty to market to our customers responsibly, let them know about how we use their data, explain their privacy rights and take all the necessary steps to keep them safe. That's why we all need to get ready for the new EU directive coming in May 2018 - the General Data Protection Regulation - GDPR for short.

With less than a year until GDPR, only half of all businesses are expected to be compliant by the deadline. That's risky, as it opens you up to fines and legal action, and could prevent customers doing business with you.

So, what steps can you take to become compliant? GDPR covers three main areas:

  • Information you already hold about your customers.
  • Information you're going to collect in the future.
  • How you're going to market to your customers.

GDPR is not optional. That means you need to involve senior managers, frontline staff, IT and anyone else involved in collecting, managing, or storing customer data. The Information Commissioner's Office has a very helpful PDF that explains how to go about involving people.

My recommendations are:

Carry out a data audit. Work out exactly what information you collect from customers, where it's stored, how it's protected, who you share it with and what it's used for.

Get the right policies in place. Make sure you have clear policies for the collection, storage, sharing and management of data.

Understand how you process data. You need to document everything you do to collect and process information. That includes keeping records of all the data you process, and correcting inaccuracies in data. You need to do this in your own organisation and update the information with any other organisations you've shared it with.

Protect the data you hold. You need to get full accountability, governance, and the proper protections in place for handling customer data. You will also need to show how you will handle any data breaches.

Review and rewrite your privacy policy. This is an important document that tells your customers what they can expect. Make sure you update it and include all the new information required as part of GDPR.

Understand your customers' rights. I was pleased to see that GDPR strengthens many of the rights individuals have on how businesses handle their personal information.

Request proper consent from your customers. Another important aspect of GDPR involves consent - getting permission from customers to collect their data and market to them. This is especially important as it applies to children. If you engage in direct marketing to customers (for example by email or post) you need to pay special attention to this area.

Review other areas of GDPR. GDPR is a complex beast; there are lots of other ways it could impact your business. For example:

  • Handling data management and sharing across EU and international boundaries;
  • Getting data protection officers in place;
  • Understanding data protection impact assessments.

The Information Commissioner's Office is a great place to start and provides much of the insight you will need; IT Pro is another great resource.

If there's one message I want to leave you with, it's this. Make sure you start taking data protection steps now - you must be compliant by May 2018, so it's time to learn more and get the right policies, processes, procedures, and technology in place.

Sponsored post. Copyright © 2017 Luke Barlow is ecommerce director at Tufferman.