How to prepare for GDPR compliance before the May 2018 deadline
General Data Protection Regulations (GDPR), intended to create consistency in data privacy laws across Europe, has ramifications for businesses located across the globe. If you interact and obtain data from EU citizens on any platform or device, GDPR matters. Unlike some other regulatory requirements, GDPR compliance cannot be achieved with a one-time effort. Read our foundational article on what GDPR is and who it affects, here.
GDPR compliance requires business leaders to create organisation-wide awareness across different departments. You will also need dedicated personnel and resources to implement GDPR and ensure ongoing success GDPR affects different stakeholders and departments within your company, including Marketing, IT, Security, Engineering and even Legal. You may also want to make sure that your 3rd party suppliers and vendors follow GDPR.
We therefore suggest that companies conduct internal privacy assessment to identify, document and address existing gaps with respect to GDPR. Next, your firm will need to evolve a plan to close these need gaps and create operation-wide processes to ensure compliance over the long run. Your firm will also have to appoint resources specifically responsible for GDPR.
What are the Key Requirements of GDPR?
- Right to Access: A customer of your company has the right to ask you to share the information you have on them. And your firm has an obligation to get back to them with a response within 30 days.
- Right to Erasure: A customer may invoke his right to be forgotten, which means that your firm will be obligated to delete all data pertaining to that individual, from multiple locations where it is stored. Again, you have 30 days to comply.
- Incident Response Process: In case your organisation breaches any regulations, it must notify EU bodies in charge of handling privacy, and let individuals and businesses know within 72 hours. Organisations will also have to institute processes to tackle complaints - for instance, if a customer writes to you flagging an issue, say he/she continues to receive marketing mailers despite asking to be forgotten, then your company must have a clear guideline on what those in support should do, and how this problem must be escalated, documented and solved.
- Naming of a Data Protection Officer: A big change, GDPR calls for naming an individual as Data Protection Officer (DPO), who will be responsible for this function and easily contactable by the public. An in-house DPO maybe necessary if your company processes or stores large amounts of EU citizen data, regularly monitor data subjects, or you are an public-facing body. However, your company could look at outsourcing this function and hiring a virtual DPO who will act as a consultant to multiple companies, instead of hiring someone full-time, in-house.
Keep visiting our blog to stay updated on the latest news from the world of digital marketing, e-commerce, and write to us for expert guidance on how to go about building your website or brand online using the latest technology and publishing tools.
Preeti Prakash | Journalist