Key GDPR Questions for Every Business to Answer Now Part1

GDPRIn a year’s time the General Data Protection Regulation (GDPR) will come into force and will affect all businesses in the UK. Penalties are severe up to £17M or 4% of turnover whichever is greater.

On the one hand GDPR is going to be over-hyped as a way to get sales. On the other it will be devilishly complex and as always it is best to be prepared by addressing the issues early. It is time for businesses to ask themselves a series of questions.

As a business, do I control data or process data?

If as a business you’ve answered no; then think again. Data here is anything which might identify an individual such as your list of clients, potential customers or your employees. A data controller is the person, business or organisation that determines how and why data is processed. A data processor is one who is acting on the controller’s behalf.

As a controller I need a clear policy on how and why I use data. If I am a processor acting on the controller’s behalf I now have greater accountability that the data is lawfully processed and for preventing breaches.

GDPR Consent Means?

If I am communicating with a person, did they give clear affirmative action that they consented to be contacted? AND have I got a record of that consent? So forget silence, pre-ticked boxes and old inactive customer records. It is good marketing practice to get the active consent of individuals to receive your communications, but this will also apply to things like payroll. Not everybody likes electronic payslips.

Did I inform the individuals of their right to object to use (eg for marketing) at the first point of communication explicitly and presented clearly and separately. So forget hiding it in the small print and complicated opt in and opt out boxes with meaning changes to catch the unwary out. Do I continue to do remind them of that right to change their mind?

What’s next?

Next time we will overview systems and people before tackling accountability, governance and compliance. Otherwise this blog would be even longer! And through the year we will revisit the areas in greater detail.

All companies should start to review GDPR now. So they have time to understand its impact on them and ensure they have taken reasonable comprehensive, but proportionate steps to comply. In other words the bigger business you are the more detailed your review as you have greater time and resources.

But the reason I’ve used ‘I’ here is that GDPR impacts on even the smallest one person company.