GDPR: 5 actions to take before the May deadline

aat comment

It’s only a matter of weeks to go now until GDPR comes into force.

Rather than talk about the principles of the regulation, which hopefully you are up to speed with now, now’s the time to focus on some practical actions you can take prior to the 25 May deadline.

1. Review and revise your Data Protection Policy

Your Data Protection Policy is the internal document for your business or practice. It should detail what your company processes and procedures are and effectively be the ‘go to’ document for your staff whenever they have a data protection query.

The Policy should be more than just a document that is drafted and then filed away never to be referred to.

Action required: Update your Policy to reflect procedures for data breaches; managing individuals’ rights; using your own device at work etc.

2. Review your data

It’s time for a spring clean of your data. Remove old, out-of-date and no-longer-required data; old contacts no longer engaged with your business or practice; and don’t forget to clean any server back-ups of this data too. Your organisation’s mind set should be about good quality data that you will need and use.

Re-clarify contact data if necessary. Do you have contacts in your system whose permission status you’re uncertain of? Beware. If you don’t have permission to email contacts then you can’t email them to re-clarify their consent. But you can ask them to confirm the data you have on record about them is up to date (providing them with an opportunity to be deleted) and invite them to subscribe to communications at the same time.

Don’t forget to look at employee, supplier and partner data too. It’s not just about your clients.

Action required: Safely delete and clean your old, out-of-date data.

3. Gain GDPR-compliance assurances from third parties

Under GDPR you have a responsibility to make sure that any third-party systems you use for storing, transferring or processing data are also GDPR compliant. Think CRM systems, cloud storage, email marketing platforms, website CMS systems, online payment platforms and shopping carts… the list goes on.

Action required: Ask all your system suppliers for a statement (or links to where these can be found online) and put in an appendix to your updated Data Protection Policy. They will be expecting your request and you won’t be the only one asking.

4. Make sure your website is compliant

You need to provide people with all the information they need to make an informed decision about whether they wish to share their data with you. That means making sure people can easily find your privacy policy. Your privacy policy should say why you collect data, what you do with it, what their rights are and how they can opt out when they want.

Your cookie policy and cookie notice need to be up to date and easy to find online too.

Action required: Review and update your privacy and cookie policies and check you have a cookie notice.

Finally, is your website secure? Last year Google started to rank sites down that didn’t have an SSL certificate set up on their site. Basically, are your web pages http:// or https://? They should be https:// for extra security to visitors on your site and to make sure you aren’t penalised in search engine page results.

Action required: Check you have an SSL certificate (https://). If not, you can purchase one from whoever provides your domain registration.

5. Train your teams

With all this change it’s important to make sure your staff know what’s happening and what to do going forwards.

Set up some training sessions for staff, explaining in simple terms what’s changed and what the new procedures are. Also, make sure you include managing data in your new employee induction process.

Action required: Arrange staff training sessions.

GDPR shouldn’t be a cause for panic but, equally, you can’t just ignore the fact it’s coming into force. With these practical steps you will be making good progress into making sure you are compliant as well as reassuring your clients, suppliers, employees and stakeholders that you are ready for 25 May.

Accountingcpd partner with AAT to publish The AAT Technical Updates Pathway 2018 – 20 weeks of expert-led digital learning to keep members up to date. GDPR is covered in week 5 of this pathway.

Becky Reid is a digital marketing consultant and practitioner, covering website content and SEO, email marketing, data protection, data management and more.

Brought to you by
Brought yo you by

Related articles