Shh, listen. Can you hear the faint cries of joy?
That’s just people cheering as they delete the last of the GDPR emails from their inbox.
Deadline day is finally here. For many, if not all, businesses, Friday 25th May has been circled on their calendars as the biggest day of the year.
But today is not the day to take a big sigh of relief.
GDPR is a future-proofed measure to encourage the secure handling data across the EU, and all businesses that wish to collect and process any EU citizens’ data will be subject to the regulation.
While there’s so much information out there on how to get your business compliant before the deadline, do you know how to keep the ball rolling after 25th May?
Read our three simple next steps on what to do after GDPR deadline day.
Under the new rules, clarity and transparency about your clients’ data is crucial. Customers who contact you about their data need to know and understand why you are keeping their personal information in your database.
Clients can now submit a Subject Access Request, asking you to send them all the data you have on that person. Individuals also the right to be forgotten, meaning you must erase all the data you have on that person. It’s important you and your team understand this and have the facilities to do it.
Ensure you are quick, respectful and responsive to your clients’ requests and questions. If a person chooses to opt out of your business’ correspondence then you have one month from the opt-out date to delete that customer’s data, otherwise your company could face extreme fines.
Keeping all your data-handling employees up to date with the latest compliance information is essential for making your business tick. Under the new law, the rules around securing data have now been updated; that means the Data Protection Act of 1998 is no longer valid, and your team need to know the differences between these policies and how to implement them.
Come to mention it, make sure your policy is kept up to date so it includes:
Why are you keeping that data? Many of us are guilty for keeping client data ‘just in case’. However, under the GDPR, you can no longer collect and keep PII (Personally Identifiable Information) that you don’t need.
When collecting data from data subjects, you must detail how the data will be used and how long it will be retained for. For instance:
This also enables you to identify the data you do not need and minimise your data as required by the GDPR.
GDPR isn’t just for one day. These best practices need to continue for as long as the GDPR is in place.
So whatever the size of your business, stay compliant and stay secure!