GDPR is about your customers and their personal data. It’s about what information you have, what you do with it, what you intend to do with it, how, when and for how long. It’s about protecting people and giving them more control over their personal information.
Discover More
This could be the start of a healthy, data-cleansing relationship Sign-up today
TOP
One small step for you, one giant leap for personal data
GDPR is a vital step toward streamlining data protection requirements across the EU. Anyone that collects or processes personal data is required to comply with the new regulations. This includes organisations who run websites or apps, any organisations who use internal databases, CRMs or even just plain old email.
GDPR requires data controllers to state what data is being processed and for what reasons. The definition of ‘Personal Data’ has also been extended to encompass device identifiers, cookie IDs, IP addresses and location information. Genetic and biometric data is now classed as ‘sensitive’ personal data.
You will also be required to inform data subjects about how long the data will be stored, and state who the subject should contact with regards to any part of the data controller’s data processing actions This could be your newly appointed Data Protection Officer (DPO) - maybe by giving them a special badge or hard hat and high-viz vest?
Consent?
‘We have a comprehensive DMS and CRM system, but we needed a solution that served our customers visiting our showrooms. Mundo provides a simple, easy solution.’
Emma Norfolk, marketing manager & dpo, Norton Way Group
TOP
The age of consent
Consent must be obtained by the data subject before their data can be processed. You must be able to prove this for each and every individual.
The data submitted can only be used for the purposes that consent has been given. For example, if someone contacts you through your website with an enquiry, you cannot add them to your email marketing list, unless they have actively ‘opted-in’ to that at the point of submitting their data.
GDPR makes it clear that electronic consent requests must not be unnecessarily disruptive to users. You will need to think about the best way to tailor your consent requests and methods that allows for clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and ‘at-the-point-of-necessity’ consents; e.g. when a user decides to contact or sign-up.
Penalty
TOP
Penalty!
England make it to the World Cup Semi final - only to go to penalties. Sounds bad, right? Penalties for not complying with GDPR legislation are even worse.
The maximum sanction for non-compliance with the GDPR is €20,000,000 or up to 4% of your annual worldwide turnover (based on figures from the preceding financial year), whichever is the greater. Yes, you read that correctly - ignoring this as an EU ‘banana is too straight’ regulation is not an option.
Here are some handy tips on where to start. For everything else there’s Mundo.
Awareness
Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Data held
Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Privacy
Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Rights
Check your procedures to ensure that they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Access
Update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Personal data
Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
TOP
Consent
Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Children
Do you need to put systems in place to verify individuals’ ages? Do you need to obtain parental or guardian consent for any data processing activity?
Breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Code
Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and how and when to implement them.
DPO
Appoint a Data Protection Officer to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
Mundo
Give us a call and book your free consultation to work out how Mundo can help your business get GDPR-ready.
