The new GDPR comes into full effect on 25th May 2018 but that doesn’t mean you can just wait until May to start the compliance procedure. Do you even know what you need to do to become compliant?
The GDPR states that ‘smaller offences’ could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater)!
We have put together a brief guide of what you need to put in place to comply.
Training organisations specifically are at risk of falling foul due to many training organisations using software such as Microsoft Excel and Word to store customer data. This is a big no no when the GDPR comes in to effect and with fines of up to 75 times higher than the Data Protection Act fines every company needs to get their ducks in a row… and quickly.
One of the biggest, and most talked about elements of the GDPR is the power for regulators to fine businesses that don’t comply with GDPR.
- If an organisation doesn’t process an individual’s data in the correct way, you can be fined.
- If you require and don’t have a data protection officer, you can be fined.
- If there’s a security breach, you can be fined.
What are the Major Changes from DPA to GDPR?
Your organisation will be more accountable for the handling of your customers personal information.
This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
In the last 12 months, there’s been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about.
This can include, but isn’t limited to; financial loss, confidentiality breaches, damage to reputation and more.
The ICO must to be informed about a breach within 72 hours of an organisation discovering the breach and the people it impacts also must to be informed.
How Should I Collect / Store Customer Data?
In the GDPR there is a requirement for businesses to obtain consent to process data in some situations.
When an organisation is relying on consent to lawfully use a person’s information you have to clearly explain that consent is being given and there has to be a “positive opt-in”.
For example; When placing an order via your website a mailing list check box must NOT be checked by default as your customer must “take positive action” to join your mailing list by checking this box.
The system that you are using to collect customer data should be secure, this means that if you are capturing customer data via your own website or a computerised system that it should be done in a secure environment, using SSL encryption technology. We highly recommend using a secure training management system such as the Genius Training Management System.
You customer data should also be stored in a secure environment such as a secured database within a Training Management System or CRM system. Storing data in a Microsoft Excel Spreadsheet is NOT compliant and is just asking for trouble.
Making Customer Data Available to Them
You must be able to make all customer data that you hold available to your customer within 30 days. Of course this sounds simple, but if you have to compile all of the information that you store on a customer at random how would that realistically take you? This could cause a major disruptance to your business unless you have policies and procedures in place to handle this request. The use of a GDPR Compliant Training Management System will save you hours or even days of work.
How do I become GDPR Compliant?
The GDPR guide, which is available to download in Pdf format here, includes steps such as making senior business leaders aware of the regulation, determining the kind of data that is held, updating procedures around subject access requests, and what should happen in the event of a data breach.
As well as this guidance, the ICO says it is creating a phone service to help small businesses prepare for GDPR. The service will provide answers about how small companies can implement GDPR procedures and starts at the beginning of November 2017.
The most simple and most complete way to become GDPR Compliant is by investing in a cloud based Training Management System such as Genius Training Management System and with prices starting at £120 per/month now is the time to get started.