Getting Ready for the GDPR_ What Companies Need to Know

The General Data Protection Regulation, or GDPR, is coming into effect in May 2018 and replaces the current Data Protection Act. It’s been 25 years since data protection legislation was written and the laws were in need of an overhaul. However, companies need to be prepared to comply with the new laws or face fines. A lot of work needs to get done in a year’s time, so it’s best to get started right away.

General Data Protection Regulation
Image Credit: Blogtrepreneur

Customers Need Access to Their Own Data

No longer can a customer’s personal information be withheld from them when they ask for it. Now a company has to supply the customer access to their own data and let them view what has been done with their personal information. This is now a right afforded to private persons who have supplied their personal information to a company. It’s known as a subject access request, and a company must comply with such a request or face a fine.

Get Clear Consent From Customers to Use Their Personal Data

Up until the GDPR, privacy policies were relegated to a link anchored in “click here for more information about our privacy policy” while encouraging the user to tick a box that said they read that policy. A company can no longer set the privacy policy to the side where it will go mostly unread. Now companies have to write the policy in plain language that’s easy to understand and clearly state why the information is being collected and how it’s going to be used in the future. No longer can a company use confusing legal language in the policy and bury how it handles customer information.

It’s also more difficult to share personal information with third parties. The standard operating practice was to put language stating that personal information may be shared with third parties in the privacy policy. Opting out of the sharing of data wasn’t possible for customers as the sharing of information was lumped into the policy. Now the business has to separate the sharing of information with third parties and give the customer the option to opt out separately. Departments involved in dealing with customer data are should read the GDPR for understanding on how they have to handle data.

Retaining Use Records

Companies aren’t barred from doing anything with personal data. But they must keep records of everything done with that information. Article 30: Records of Processing Activities governs how a company must keep track of what happens with customer data. Tracking information has to include who moved the data, why it was moved, and contact information of those who initiated the change. It is a lot of information to track, but software automates most of the process and reduces the amount of effort needed. These are some of the things a company needs to know for the upcoming shift to the GDPR. Private citizens are gaining more rights and companies have to respect those rights or face the consequences.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.