Already in effect, GDPR was adopted on 27th April 2016 and becomes enforceable on 25th May 2018.
Are you in or are you out?
With GDPR there is a need to be 100% clear about the information you are taking, and how that data is going to be processed. It will be no longer acceptable to assume a client has implied consent to your terms or has signed up for marketing updates.
If you’re asking contacts to send you general questions about your services through a contact form, that doesn’t give you the right to ask them if they identify as male or female, find out what their marital status is or ask for their mother’s maiden name. GDPR prohibits you from doing this and requires that you only take the necessary data for that particular activity.
When storing the data of an EU citizen, you must keep it private and limit any access to only those users within your organisation that require it. You must also make sure that the database where this data is kept is secure, there should be there a layers of protection to prevent any breaches. You must also ensure your passwords to any CMS are strong and do not get shared.
Not every organisation needs a Data Protection Officer
The role of Data Protection Officer (DPO) becomes “mandatory” under GDPR. However, not every organisation will need to rush out to appoint one. DPOs are only a pre-requisite at public authorities, and businesses where data processing and monitoring are done on a large scale. IT and marketing are not suitable DPOs
The GDPR states that the DPO must not be conflicted by having a dual role of governing data protection while also defining how data is managed. In practical terms, this means that an IT manager is not the best choices for your DPO. The marketing manager might also have a conflict of interest, while sensible options could be your head of finance, risk or legal. Your DPO doesn’t need to be someone within the organisation, and so it could be easier to appoint a lawyer or external expert.
You have 72 hours to report a breach – where feasible
Personal data breaches need to be reported to the relevant data protection agency – within 72 hours. Individuals will also need to be notified if there is a high risk their data has been breached. However, if the breach “is unlikely to result in a risk to the rights and freedoms” of people, the reporting element is not required. And firms also have a slight get-out clause here with the insertion of the “where feasible” phrase attached to the 72-hour limit.
Get prepared, get educated, and make sure those around you are also in the know.
For more information, please contact a member of our team at: email@example.com