The General Data Protection Regulation, or GDPR, has been at the forefront for many, if not all, companies in the UK over the last few months and takes effect on May 25 2018.
Even when the deadline hits, we are still in a process of learning, updating and adapting to the new rules. The best way for businesses to approach this piece of legislation is to remember that the deadline is not the end of GDPR, it is only the beginning. Therefore, we must keep improving our efforts to safeguard people’s right to privacy on an ongoing basis.
To make it really simple, here is a checklist of things we are monitoring and will continue to monitor, on a regular basis:
☐ Opt-outs and people who unsubscribe
We regularly check to see what changes our users are making, for instance a weekly newsletter via email may not be to everyone’s taste so should they opt out or unsubscribe, we update our mailing lists to reflect this. They may still wish to receive phone calls, texts or other communications from us so they are segmented and moved off of the email list, this ensures that our records reflect the users’ wishes.
☐ Changes to policies, procedures or the way we use data
Should we change a procedure or update the way we store, use or share users’ details and information, we will let them know and update our consent to reflect this. It is vital that the users know what has changed and that they accept these new changes. We then have to record what the users agreed to, when, and then update their consent status with the new agreement.
☐ Security settings and computer security
We need to ensure that all our computers, laptops and devices are regularly updated, have some form of anti-virus software and are password encrypted to help reduce the chances of security breaches. We ensure users do not share logins and passwords, and avoid having them on autofill when online.
Checks that staff are following these procedures occur regularly, and training around data security and device security is a constant process. A lost phone or laptop could constitute as a major data breach, especially if it is not password protected and has everything logged in or on autofill. Just like a ship has certain parts that are allowed to fill up if it starts to sink, the thing that stops it overfilling is a locked hull door. The same approach should be taken to security – asking questions such as, what happens if it sinks? What doors have I locked to contain that breach?
☐ Staff permissions for certain areas on our systems (as some things are on a need to know basis
Ensuring that our devices are secure is a must but also securing information is just as important, certain information should not be left on desks, in printers, open on your unlocked computer whilst you make a cup of tea, or while out and about in public, on the train or in a coffee shop. By ensuring that areas of our databases are protected, we are limiting the exposure of such information and ensuring that we are protecting ourselves and the users. Would you want someone digging through your finances out of interest? We do not, so we have set up our files so that only the employees that need to access can view them.
☐ Cookie windows and the types of cookies we are using
Under the right to be informed, the users of our site should know what cookies we hold, what they do, what they collect and the more information we can give them the better. Allowing the user to make an informed decision means we are gaining consent from a user that knows exactly what they are accepting. This allows the user to have confidence in the business and improves the transparency in what is being collected and used.
This list is an insight into some of the ways you can maintain your databases, consent and some of your key procedures for when GDPR hits at the end of next month. Always remember that the deadline is the beginning of the journey and the lessons we learn will constantly evolve and the way we approach the maintenance and collection of such data will need to evolve with it.