Countdown to the GDPR: the five things you need to do before 25th May26 Apr 2018
In one month, on 25th May, the General Data Protection Regulation (GDPR) will take effect. If you have not yet taken steps to make your business GDPR-compliant, now is the time to take action.
While the Information Commissioner’s Office (ICO) has indicated that it is not intending to issue large fines immediately from 25 May, businesses must be able to demonstrate that they are taking the necessary steps to comply.
Those businesses that are ignoring the upcoming changes, or have failed to take any steps at all, will be most at risk of fines.
To ensure this doesn’t happen to your business, experts at Manchester law firm Kuits have set out the five key steps you should be taking before the deadline:
1. Marketing: if you carry out marketing as part of your business, you should review your lawful basis for such marketing. If your lawful basis is consent, then you will need to refresh these consents to make them GDPR-compliant prior to 25 May (you will have seen a lot of emails dropping into your inbox regularly over the last month or so). If you do not do so before 25 May, you may have missed your opportunity to do so: following this date it could in itself be unlawful to contact those individuals, and your business could be exposed to potential fines. If you are relying on legitimate interests as your lawful basis, be warned – this will not be appropriate for all businesses and therefore a bespoke evaluation of your databases and communications is advised.
2. Privacy notices: even if you are not refreshing consents, you will need to provide updated privacy information to individuals whose personal data you hold. This is usually done through your privacy notice, which will need to be updated to comply with the specific requirements of the GDPR. You will need to communicate these updated policies to your employees, suppliers and customers.
3. Contracts: all contracts that include any element of personal data-sharing (which will be most of your contracts) will need to be updated to comply with the specific requirements of the GDPR. This will include your employee, supplier and customer contracts. Again, you will need to communicate these updates to the relevant parties and ensure they are validly incorporated/accepted.
4. Security and technology: you should review your data security (technical, physical and organisational) and establish additional measures you can take to protect the personal data held by your organisation.
5. Testing: you may want to conduct certain drills to test how ready your business is for the GDPR. This could include systems penetration testing, which can be conducted in tandem with your IT/cyber security provider, and data subject access request and data breach simulations to evaluate the readiness of your business for dealing with these events. The results of such tests should then be discussed, reviewed and used to improve/update your policies and procedures going forward.
Remember, your GDPR compliance project does not end on 25 May. GDPR compliance is an ongoing project and businesses should be continually reviewing, evaluating and updating their approach to GDPR compliance to make data protection a key part of their business strategy.
The Kuits GDPR advisory team has been conducting audits and providing GDPR advice to organisations of all shapes and sizes across the North West.
If you would like to speak to an expert about the GDPR, no matter where you are in the process, please call 0161 979 0808 or email firstname.lastname@example.org.