We know there’s a lot of advice, some of it conflicting, going around about GDPR. The most important thing is that you haven’t ignored it and done something about it.
Here is a list of some basics (not comprehensive) which should be done:
- Check your current legal compliance (you might be falling short, and it affects data security, choice, portability, etc aspects of GDPR)
- Understand what is ‘Personal Identifiable Data’ (PID), the role and advice from the Information Commissioners Office (ICO) and where to start.
- Do a Data Audit (you can show you have looked at where your data is, why you need it, how you are securing it and making it usable). It’s hard to protect something when you’re not sure what you’ve got/ where it is, etc. Boring as it is, this is also proof that you have taken your GDPR responsiblities seriously and be the basis for your Data Policy.
- Realise that it’s not all digital, you need to secure the PID you store on paper (like sign up sheets); who can access your computer; what about that backup drive which is easy to steal?
- Check your Website Forms – consent is one of the cornerstones of GDPR – that is you can show that ‘this person specifically requested this on an opt-in basis on this day’. Easily stored in MailChimp or similar so you can report if requested.
- Think about Email Accounts especially if you’re using personal email accounts, like Gmail and Yahoo then unless a 1-person business this really should be changed. It’s all about the organisation having control of all the PID and other data.
- Be clear re: Email Newsletters and your legal basis for sending such updates. Does it mean you need to delete all data for people who didn’t click the button? There seem to be differing approaches, and there aren’t yet any test cases from the ICO to clarify.
- If you’re an Online Shop there’s a few more i’s and t’s to check.
You will also want to check if you need to register with the Information Commissioners Office as a ‘Data Controller’.