In the third part of the GDPR blog series we’re covering how your business needs to change ahead of GDPR. You can read our GDPR blog series by following the links below:
Read our GDPR blog series:
- The General Data Protection Regulation – An introduction to GDPR
- How the GDPR affects the personal data you hold
- Plan how you need to change ahead of GDPR implementation
- How GDPR gives rights to individuals and their data
- What is your lawful basis for processing data
- GDPR gives you a duty prevent and report data breaches
Plan how you need to change ahead of GDPR
It’s easy for small businesses with heavy work loads to ignore the GDPR, to perhaps see it as an unnecessary burden, but it is to be taken seriously. In reality, it’s something you could use to your advantage. Many customers will appreciate you being transparent with compliance and it could add real value to your business, maybe even bring in new customers. It’s going to be far easier in the long run to be compliant than constantly spend time trying to explain how you can avoid it.
When planning how your business needs to change for GDPR it’s important to remember this affects both your employees, suppliers and customers, or indeed anyone else’s data you store. You need to know what data you hold, how you gathered it, why you hold it and how it’s used. If you’re holding on to data for longer than necessary, for reasons the individual isn’t aware of, or for no other lawful basis, you should remove it.
Designate Responsibilities
It is recommended that your company quickly takes steps to designate responsibilities for data protection compliance. This could be a specific individual or perhaps a small team within some larger organisations. You may also want to consider creating the role of ‘Data Protection Officer’, but this is only required for public bodies and organisations who monitor individuals on a large scale.
The most important thing is that someone within your company is taking proper responsibility of data protection. This person should have the knowledge, support and authority within your business to carry out the role effectively. All your staff should be correctly trained to identify an issue and be aware of the need to report any mistakes to the responsible person. It’s ultimately down to business owners to ensure you have the right procedures in place to detect, report and investigate any personal data breach.
Implement new data processing systems
You will need to implement systems that will allow any data access requests to be processed within 1 month. Under GDPR individuals have the right to access all personal data you store, ask how you collected it and request you completely erase all the data you hold on them. Once a request in received you will have one month to carry it out, this can only be extended in mitigating circumstances.
In some extreme cases you may need to the report any data breach to the ICO but this is only required where a breach poses a serious threat to the individual. This includes (for example), if the person could suffer financial loss, damage to reputation or other significant economic or social disadvantage.
Perform due diligence of supply chains
You may also want to consider performing due diligence on your supply chain. You will want to ensure all your suppliers are also GDPR compliant to avoid any issues impacting on your business. Part of the new regulations requires that you have a written data processing agreement with any supplier you share personal data with – this includes any software that you utilise to store any personal data.
The use of data processing agreements ensures that both you and any data processor understand your responsibilities under GDPR and ultimately help all parties to be compliant.
What steps are Flex4 taking to prepare for GDPR?
In preparation for the introduction of GDPR, Flex4 have undertaken the following:
- Carried out a data mapping exercise to understand what personal data is stored and accessed within our business.
- We have updated our terms of use and privacy policy to comply with GDPR requirements, which will apply to you on and after May 25, 2018.
- We have created a Data Processing Agreement for all of our OPS customers (see below).
- We have received Data Processing agreements from our own data processors.
- We have installed the Wordfence security suite on all OPS websites.
- We have implemented an SSL certificate on our own websites.
- We have developed new OPS functionality to allow customers to agree to terms and conditions and / or privacy policy when a user next logs in or registers as a new user. The new functionality also includes the ability for users to confirm their marketing preferences (i.e. email, telephone and post).
These are just some of the many steps Flex4 has taken to meet the data transparency goals of the GDPR. This continues our practice of protecting your data and providing for the legal and secure handling of your organisation’s critical business information.