Unless you’ve had your head stuck in the sand for the past year, you’ll know that GDPR is coming! What last minute things should you be doing now? We grab five minutes with Circdata’s Hellen Beveridge to find out.
Q: Is the publishing industry ready?
A: It’s a very mixed picture – but overall, I would have to say it is very far from ready. Some organisations still haven’t begun any kind of compliance process and others are yet to understand the levels of record keeping they are expected to keep. Those who are approaching some semblance of readiness are those that have been working on this for over twelve months now. Elsewhere, there are organisations who know what they should be doing and are beginning to get to grips with it; but unfortunately, there are a significant number that are either doing ostrich impressions or who still firmly believe that it is like Y2K and will all disappear on 26th May.
I have seen some dreadful examples of privacy notices and other client facing communications. My favourite yet is the company who has designated their managing director as the Statutory Body – I’m pretty sure that Elizabeth Denham and the ICO might have something to say about it.
While some publishers have got their data collection forms correct, the records and registers of processing are a much bigger task, as well as trying to complete all of the paperwork surrounding the use of data processors.
Q: What should be the top three items on any GDPR compliance check-list?
A: 1. Your privacy notice or statement. The amount of effort you put into this is a direct reflection of the amount of effort you are putting into your data protection policies. You won’t be able to write a good one if you haven’t been doing the back-office work with regards to managing your data.
2. Sort out your data retention policies. I’m yet to come across any publisher who had (before GDPR) any clear idea of how long they should be keeping data and keeping a coherent record of this. It’s a key part of existing data protection legislation.
3. Get your records of processing up to date. Someone described this to me as a bit like your maths homework – show your workings out. Everything you do with data should be clearly documented. The authorities care far more about this than whether you had an appropriate tick box on your form or not.
Q: What are the best information resources for GDPR requirements?
A: The ICO has been working very hard to publish appropriate guidance for businesses of all shapes and sizes – you can find this on their website ico.org.uk
The DMA has also been a frontrunner in terms of producing good information – particularly in terms of marketing and the juxtaposition between GDPR and PECR.
The Data Protection Network is another good resource – with guidance on legitimate interests and conducting DPIAs.
Plus, there is the IAPP – with more general data protection advice and opinion.
Q: What final steps should well-organised publishers be doing?
A: Making sure they have completed their records of processing and that they have a full set of supplier / vendor contracts and SLAs in place.
Setting up staff training as this now needs to be done on an ongoing basis.
Practising their data incident procedures and understanding how the team managing and making decisions about this are well organised.
Decide how to ensure that there is data governance within the business, either with the establishment of a compliance function or by contracting an external subject expert.
Q: For less well-organised publishers, who might have left if very late, what advice would you give them?
A: Don’t panic! The worst thing that you can possibly do is to put ill-conceived documentation into the public domain, or worst still, try to reconsent a database that doesn’t need to be.
If the ICO comes looking, they are going to want to see an action plan and a desire to move the business to a compliant place as quickly as possible, so if you do not have the expertise inhouse to do it quickly you are going to need to bring in external help.
If you know you are processing risky data (ie. payments / direct debits, union membership data etc) then you will need to move much faster than if you are processing B2B names and company addresses.
Q: Will the sky fall in on 26th May?
A: No – for two reasons, firstly it’s a Saturday and secondly it’s a Bank Holiday weekend…
Flippancy aside, everyone in the privacy community sees this as a long haul to get businesses operating in a compliant manner. One EU Commissioner likened it to the introduction of health and safety legislation (GDPR is also a risk-based law) which took ten years to bed down into the collective business consciousness.
But that shouldn’t lead to complacency – remember that every single individual on your database(s), including your own employees – is a potential whistleblower so the quicker you get your house in order, the lower your risk.
Finally – don’t forget that the UK Data Protection Act 2018 looks like it is going to get over the line as well by 25th May, so that will require some additional analysis. That, plus the updated ePrivacy Regulation, the uncertainty surrounding Brexit and updated guidance on the application of GDPR is going to keep everyone on their data protection toes for some time to come.