Concerned about the GDPR changes? Peel yourself off the ceiling and grab another tasty treat from Nana’s afternoon snack tin. While this is a turn of events, it doesn’t mean you cannot market to the EU. Nor does it mean you should scrub the EU off the “future plans” whiteboard in the boardroom.
Most companies are abiding by many of these regulations. You will have to review and tweak your business if you have ties to the EU.
Here are some of the steps you should take towards GDPR compliance:
Please note: This is not all the GDPR Compliance requirements and circumstances may differ for your organisation.
- Think about customers in the EU, citizen or not. Recognise that the GDPR applies to EU citizens as well as your customers while in the EU and treat data collection appropriately
- Review your current terms and conditions, especially if you have some stated terms of service your customers must abide by. It is a lowering of the threshold of consent for your customers and their data. Make sure you don’t accidentally have written statements that demonstrate non-compliance
- Take the time to review the current Australian Privacy Act your company may have in place. While this is fairly robust, it will need revision. You will need to supply explicit consent of data capture (as opposed to inferred or implied consent through usage). You will also have to supply the ability to review amend, delete or refusal in any data collected on an individual that is an EU citizen
- Consider pseudonymisation. Your encouraged to adopt pseudonym style recordkeeping to ensure privacy of your EU customers
- Treat hacks seriously. During any hack or breach of information, you need to inform customers immediately rather than leave it until months after the event (hello PlayStation!). This is part of allowing customers the right to make decisions about their data’s current and future safety
- Report hacks appropriately. A breach, hack or suspected leak must also be reported to the authorities in a timely manner to minimise risk to the customers and their data. This includes successful and failed attempts, on the large and small scale. By timely manner, it must be reported within 72 hours
- Give customers autonomy. The process of data capture and its subsequent access and erasure needs to be in the hands of the customer. Your customers need to be able to reject data capture. They also need to be able to review, erase, restrict usage and processing of, any data your company collects. And it must be a simple pathway to making this happen
- Appoint the right people. If you are a large-scale organisation that monitors data to tracks users and/or for a public authority, you must appoint a Data Protection Officer (DPO). This is an independent position that is charged with overseeing the “regular and systematic monitoring” of customers. They report to senior management and failure to have one may result in a fine
- Review your capture of any data related to criminality and criminal records. This may apply for NFP, social justice and policing organisations or even WWCC. Here again, you must have a DPO in place
- Run an information audit that maps out how and where your data flows throughout the organisation. This includes capture, usage and application. It also means mapping the routes to and out of your organisation to third parties
- Review your data collection relationships with third parties to ensure integrity. Ignorance on their part or yours is not a defence for breaches.
- Make sure your customer service frontline teams are compliant at all times. This may mean re-training, dropping certain questions, changing the phone and chat bot scripts to include declining the sharing of data and more
- Include marketing teams and the IT teams in this training. Ensure everyone is operating as a unified group by May 28th, 2018. Consider the certification offered under the GDPR as part of an overhaul of policy and procedure- as well as a new way to attract EU business!
Don’t get thrown by GDPR Compliance
Does this sound like a lot of homework? Then why not get an ally on your side?
Contact Webcoda to find out how you can make the process of remaining in business in the EU while also meeting the GDPR regulations simple. We’re aiming to help our affected clients make the most out of the opportunities, not be ground down by the legwork.
Need help with navigating your GDPR compliance and meeting your data treatment requirements? Contact Webcoda today!