Close Brothers Motor Finance has put together some pointers for businesses to consider when the GDPR comes into force later this month.
1) Make a plan and have a timeline
The GDPR comes into force on May 25th 2018 and applies to all UK organisations which hold or process personal data. If you’re not compliant by then you could face huge administrative fines (up to 4% of global turnover or up to €20m). It’s crucial that you make a plan of action towards compliance, and keep a record of what you do. The ICO has produced a guide on the 12 steps you should take now.
2) Assess all personal data you hold and have access to
The GDPR sets out how we keep personal data and what we can and can’t do with it. For example, data must be “collected for specified, explicit and legitimate purposes”. It is important to ensure that information is not captured without reason and that the customer knows how and where their data will be used. Under the GDPR, you can still retain customer data, however you cannot retain personal data for any longer than is necessary, so if you do want to hold on to it, you need to have a valid reason for doing so.
3) Review your privacy notice
The most common way to provide information about how you will use a customer’s personal data is in the form of a privacy notice. Most companies already have a privacy notice, but there may be some changes required under the GDPR. If you don’t have a privacy notice already, then you should create one. It should be easy for the customer to understand, and explain, what you do with their data and why. If you do have one already, make sure you check through it to ensure that it’s easy to understand and covers any activity that you’ll be using the customers’ data in.
4) Check your consent process
Make sure that you understand what personal data you collect and what for, or why you use it. You might not always need to gain consent if you have other lawful bases for collecting the data. Direct marketing to individuals who are not your customers generally requires the individuals to have consented to hearing from you in the channel used (i.e., email, SMS, phone, post) and about the type of product or service you are marketing. This means any web enquiry forms on your website and other ways of identifying leads will need to be reviewed to confirm appropriate consent language is in place. You may be able to market to existing customers without explicit consent, provided you are marketing related products or services to those who have already purchased; the individuals have an opportunity to opt out of future communications; and you stop marketing to anyone who does opt out.
5) Train your team
It’s important that you and your team understand what the GDPR is. To promote best practice, you should train all of your staff about the principles of the GDPR so that they understand the importance of protecting customer data. Training is also one of the first things that the ICO might ask about if they were to investigate your business, so make sure you keep a record of any training you provide to your team.