GDPR Compliance: A Few Tips For Your Business

A few months have passed since the General Data Protection Regulations (GDPR) came into force and, although some organisations spent months preparing for the new laws before the change, there are a number of businesses which are still working towards closer compliance.

It is important for every business to appreciate the importance of getting its procedures right, as being fair and transparent will not only minimise the potential risk of a hefty fine from the Information Commissioner’s Office but is also likely to have a positive impact on your relationship with your customers. Below are a few tips for your organisation:

1. Appoint an internal GDPR officer

Smaller businesses are unlikely to be legally required to appoint a DPO (a data protection officer) but it would be recommended to have a designated person who can lead organisational changes or to whom specific privacy issues can be referred internally. Such person should ensure that they are familiar with key obligations imposed by GDPR and, ideally, have a professional whom they can contact with any queries should they need to seek legal advice, for example, in the event of a security breach or a data subject access request.

2. Review your privacy policies

Make sure you have up to date privacy policies explaining how you are collecting, storing and otherwise processing personal data of your customers, suppliers and employees (including ex-employees, candidates, consultants and subcontractors). Are the policies clear and transparent about how and for what purpose you use personal data? You should ensure that the policies are regularly reviewed and are as specific to your organisation as possible. Generic or vague statements are unlikely to be GDPR compliant.

3. Monitor your security arrangements

Do you have organisational and physical security measures in place to ensure that any risk of personal data being accessed by unauthorised third parties is sufficiently minimised, e.g. clean desk policy and locked cupboards? You should also regularly review your cybersecurity with IT providers.

4. Make sure your marketing strategy is compliant

You should ensure that your marketing strategy is in line with GDPR requirements and, where you send electronic marketing information, with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). Are you comfortable and can you demonstrate that your customers have expressly consented to receiving e-marketing messages from you? Are you providing your customers with an option to unsubscribe? If a person opts out, do you have appropriate systems in place to ensure that that person is not contacted again, e.g. a suppression list?

There will be a number of other equally important matters for your business to consider and if you are ever in doubt about your obligations, you should seek help from a professional.

General Data Protection Regulation (GDPR) Training Packages

IBB’s data protection and GDPR lawyers can keep your business or organisation on the right side of the GDPR obligations. If you would like advice on the new regulations, GDPR training packages or any of our other services please call 03456 381381 or email corporate@ibblaw.co.uk.