Once GDPR comes in force from 25th May 2018 it will have profound impact on how all organizations large, medium or small handle, manage and use customer data. Even if your website simply collects data on EU citizens, you must comply or face fines up to €20 million or 4 percent of global annual turnover.
Though GDPR is less than six months away, the businesses in UK are still struggling to understand what must be done to prepare themselves. GDPR is the biggest change to Data Protection laws in UK after the 1998 Data Protection Act. It seeks to improve privacy protection for consumers by changing the way businesses collect, use and transfer personal data. It just not affects the IT Departments, instead these new regulations extend far beyond from Human Resources to Finance and anyone in between who touches data.
Thus all businesses in UK first need to immediately address Data Storage and Access. Companies first need to assess how they are storing their data and who has access to what data with what rights. Companies need to audit all data sources to look at what data is collected, how it’s used, who can use it and for how long. Companies need and must employ if not there already tools that help centralize data from multiple sources and monitor its use. If your business is not using any such platform then you must consider investing in one in order to ensure that you know where all data lives and who sees what.
The next challenge is educating and training all teams and not just the IT team. This means all the employees must understand the changes and regulations of GDPR and how it applies to their daily work. GDPR aims to make the data usage more transparent for customers which means that the customer services team will need to know what information they can publish, what they cannot and what constitutes noncompliance. A customer service representative will not have to ask the IT or data team each time they receive a request; instead companies should train individuals to be able to quickly and correctly answer questions.
Close communication needs to be established between the Customer Service, Legal, Finance and Human Resources teams so that all teams can update each other on any development or problems effectively. If you can focus on defining this process now, you can ensure smooth transition upon GDPR implementation.
Data Subject Rights is one of the biggest challenges of GDPR regulation. GDPR gives the customers or Data Subjects the rights to obtain: -
1. The purpose of processing
2. The categories of personal data concerned
3. The categories of recipient to whom the personal data have been or will be published, in some cases it can be third countries or international organizations.
4. The period for which the data will be stored.
5. The right to erasure of personal data or restriction of processing of personal data concerning the data subject.
6. The right to lodge a complaint with a supervisory authority
If your business is not using a software platform to practice and implement a sound process you will not be able to manage the requests post 25th May.
Businesses have no idea how many requests they will receive, but they need to prepare for a significant amount by having a robust process in place. The GDPR would penalize violations with steep penalties, it is only wise to setup a process now when you have time to find faults in internal system and alert necessary team members.
Companies not just need to serve the Data Requests from Data Subjects but the information needs to be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
As a business you can no longer use vague language about consumer data that may mislead an individual. Your business must take stock of all privacy notifications, assess if the information could be read by a child and rewrite accordingly.
All the processes for a company, large or small who intend to put in place for GDPR can adapt to change. The solution needs to be scalable in order to process more data subject requests.
Addressing these challenges is just the beginning. You need to address many smaller structural changes to become GDPR compliant. However, by using a software solution that can streamline the process, your business will be in a better position to make smaller changes. Especially, if you do not intend to hire a Data Protection Officer (DPO), having a data science platform will be crucial for team wide collaboration.
Our team at GDPR Data Safe have built such a platform that automates this process for companies while maintaining transparency about who does what within the organization.
Call our Customer Support Team today to know more about our platform and other services on
0282 003 2280
Submit us an Enquiry.