Big changes to Data Protection laws are coming into force on 25 May 2018. We take a look at what this means for your organisation and five top tips to help you prepare.
All schools, businesses and charities in the UK will be affected by the strict new rules around protecting customer data. The Data Protection Act (DPA) was put in place in 1998 so the new General Data Protection Regulation (GDPR) have been introduced to reflect our changing world with new standards for consumer rights regarding personal data.
GDPR comes into effect on 25th May 2018 and will determine how organisations manage, protect and administer all their data.
So, whether you’re a school managing pupil data, a charity dealing with donors or a business communicating with customers; the new regulations apply to everyone (and Brexit is irrelevant!).
In the event of a major data breach, the Information Commissioner’s Office (ICO), for example, can charge an organisation up to €20m or up to four percent of their annual turnover which is huge!
Here are five top tips for preparing for GDPR:
1. If an individual doesn’t understand what you are doing with their personal data, then you can’t do it. Customers needs to give explicit consent (Opt In) to receiving information or to you using their data. Each different type of communication or use needs an opt in – one ‘yes’ is not a cover all – plus you will need to have an audit trail that effectively records the consent.
2. If you contract work that includes access to your data for an agency, contractor or volunteer, you are responsible for what they do and must ensure any risks are managed adequately.
3. If you don’t have a clear record of what personal data you hold, where it came from and who you share it with, make sure you find out. Hefty fines are possible under GDPR, particularly if you’re unable to demonstrate how you are complying with the data protection principles, so do an audit and see where the gaps are with your processes, management and security.
4. If your organisation monitors data on a large scale then it is likely you will need a designated Data Protection Officer. Schools, for example, must appoint someone to this role so that there is an individual responsible for data protection compliance.
5. If you haven’t ‘cleaned up’ your data for a while, now is the time to do it. You need to be able to demonstrate, along with consent, that you are refreshing data (i.e. every 18 months to two years) and only retaining it for as long as it’s needed. This exercise may hugely reduce your database as you delete old, lapsed, archived or prospect data, but at least the data that remains will be current, relevant and individuals that want to hear from you.
Cygnet can help your school, business or charity understand the implications of GDPR and help you put in place the right systems and processes. Get in touch today to speak with the team.