Monday, 16 October 2017

GDPR - what is it, and do I need to worry about it?

Image result for GDPR

So, what is GDPR?

It stands for General Data Protection Regulation, which is all well and fine, but why are we mentioning it?

Well, the new rules surrounding data usage come into force in 2018. Most people might think that it probably doesn't affect them, but they would be very wrong. The main purpose of the GDP is to raise awareness and improve privacy and data protection.

Image result for GDPR

When the GDPR comes into force companies of any size will face huge fines if they have a breach, but on top of that, they will have to notify their customers that a cyber incident has happened. Plus, they only have 72 hours to analyse the potential damage before making a public declaration. For big companies with huge IT departments, this will be a challenge, but for SME's, well, this will be a serious risk to the business.

SME's will need to have a plan in place, with forensic investigators on hand to determine the extent of the issue. They will need lawyers and pr people to communicate with their customers. So if you already employ all those things, you will probably be alright... In reality, it means contracts with 3rd parties to supply those services.

A big change in how things are done is that people will have to opt-in for their data to be passed to a data processor, which is a fundamental change to many companies data use and gathering. We, Eazipay, will be contacting each of our clients in the near future. There is a danger, that Direct Debits could not be collected if the company is not compliant with GDPR!! But don't worry, we are well on our way.

Number 1 job is making sure you have a cyber incident response plan in place. All the roles and responsibilities need to be clearly defined. No SME should find themselves in the position of facing a fine (which could be huge) or trying to fumble through an incident. The old adage of failing to plan means planning to fail is very apt.

An information audit will be essential. You need to understand what happens to your data. How is it processed, stored, used and deleted? This will tell you where the risks to data are. You will probably need someone to take on the role of Data Protection Officer. They will need to ensure compliance and risk for the company.

All is not lost though, there is such a thing as Cyber Insurance. Good policies will give you access to all the specialist providers and services. Having a good policy could save your company. If you don't want to do that, at least have a good plan.

So, if you have a CRM system you will have to record where the data came from, for each and every record you hold. This will probably mean a few layout changes to the CRM, as you will also have to record when and where consent for their data to be used was given.

Email marketing, direct marketing and telesales are going to see the biggest change. You can no longer assume that permission to contact them is given. There are some changes being made to the Privacy and Electronic Communications Regulations (PECR) which will mean the use of the well hidden or worded tick or untick this box will be illegal. People will have to opt-in for you to be GDPR compliant.

You can find out more from the Information Commissioner's Office

No comments:

Post a comment