GDPR: Key areas that affect your business
Written by Dave Garwood, Operations Manager
Key areas of the business that GDPR impacts
Since starting on the Riverbank GDPR journey, I’ve been trying to find the best way to not become intimidated by it all. I mentioned in my first GDPR journey blog about the colossal amount of work that is involved in GDPR compliance, and the problem that I have had (and that I am sure that many others will have) is that there appears to be so much to do that you don’t really know where to start. This can lead to paralysis, which in turn leads to progress being non-existent. So, what can you do?
The way I see it, there are 2 options:
- Bury your head in the sand, ignore it, do nothing, and hope it will all go away (hot tip: it won’t), or
- Break it down into subsections, which can then be essentially isolated as separate slices of the GDPR cake which are much easier to digest than eating the whole cake at once *. Yes, there is some crossover between subsections and a lot of the policy stuff covers everything, but we will deal with that later
There are the 4 broad subsections that I am working with:
1. Internal Riverbank
This involves looking at the personal data that we hold and process for our own staff. For us, there is more of this than the information we hold for our clients and the data includes sensitive personal data, which requires more care. We have most of the information identified and the next step is amending employment contracts to get permission from staff to process their personal data.
2. Our Clients
Riverbank doesn’t hold a huge variety of personal data on our clients, but we do have a lot of clients. So, any work we have to do will need to be repeated for each of them. We also need to consider that we are both a Data Controller (holding their staff information on our systems) and a Data Processor (through the services we provide) for them, so there is double consideration here.
3. Our Suppliers
The last week has seen me housekeeping our supplier list and slicing it by 50%. This makes the next job easier, which is contacting each one to find out how they are going with their GDPR compliance. You will need to do this pretty soon if you haven’t already started it. Why? Because some companies will respond slowly or need chasing, and you need to have plenty of time to find new suppliers and transition to them should you need to. We have already found a couple that will need close monitoring to ensure they become compliant in good time. We will make a decision on their progress in the new year to give us plenty of time to move somewhere else.
4. Marketing and Prospects
Existing Marketing contacts are relatively straightforward. You just need to get all of them to give GDPR compliant consent before the deadline. Post-25th May 2018 however, is a different story. How do you get in touch with potential prospects to ask them to sign up for your newsletter if you aren’t allowed to contact them to ask? How do you drive them to you effectively, without contacting them directly? Bit of a conundrum that, and one that we are looking at.
This is one of those areas that is going to drive innovation in my opinion as the old rules don’t apply. The bottom line here is, do as much as you possibly can before 25th May 2018 to get your Marketing database as big as possible, with everyone signed up with appropriate consent. That way you’ll at least have some prospects to contact come GDPR-day.
Depending on the way you work, these subsections may be useful, or you may need to create some different ones. Either way, I would recommend doing it, it’s helped me get my head around it all by letting me compartmentalise the work.
Oh, and one other thing I learned this week:
Use personal consent only where necessary. For all of the personal data you process, you need to have a lawful basis for doing so. The thing most people think about here is personal consent, and for marketing activities, this is the key one. But don’t forget that there are other lawful reasons, such as to enable performance of a contract, or for compliance with a legal obligation.
Build the consent into the terms and conditions of your contracts with your clients (the companies, not the individuals). That way you can process the personal data without the specific consent of the individual(s) as you need to process it to satisfy the contract. What this actually does is pass the requirement for consent to the client, who will need to get consent from their staff (through their employment contracts) to pass on personal details to you, thus saving you the problem.
And so the GDPR journey continues….
* I’m hungry, hence the cake reference. I’m working from home and the smell of potato curry coming from the kitchen is very distracting. There is also a homemade Jamaican ginger cake on the side that’s calling my name. Darn the fact that my wife is a culinary goddess.
Dave Garwood will be blogging regularly about his GDPR journey, including explanations of specific parts of the regulations alongside his practical experiences of the implementation at Riverbank.
At Riverbank, we can guide you on your journey to IT compliance, making sure your systems are in line with the new requirements. If you need an expert IT partner to see you through the process before the new rules kick in next May, give us a call on 01235 426700 or email firstname.lastname@example.org to discuss the details.