Welcome back to part two of our GDPR basics blog series. If you haven’t read part one yet, you can find it here. Make sure you’ve read our blog on the DPA too!
This blog will continue where we left off in part one. We’ll cover a few more areas of GDPR that you need to know about and bring into your organisation’s data protection policies.
Do you cover all aspects of an individuals’ rights?
You should already have all of the required individuals’ rights covered (right to be informed, right of access, etc.) due to them being in place since the DPA in 1998.
That being said, you should make sure that all of your processes are functioning well. A good check of this is to test how you would react if someone asked to have their personal data erased. If you struggle with this, then it might be a good time to revisit your policies and train your relevant staff members in how to use them.
A key individual right is the right of access. Anyone who has their personal data stored by you has the right to view it. You will need to be able to provide this information quickly, in a readable form, and free of charge.
Make sure that all of your procedures are simple, accessible to your staff, accountable, and properly cover an individuals’ rights!
How well do you manage consent?
Take some time to review how you manage consent when information is passed to you. It’s important that every time someone decides to give you their information, they are positively opting in. Right now, you might be using pre-ticked boxes or inactivity to get this opt-in, but GDPR’s arrival means you will no longer be able to use this as a legal opt-in.
Simply, positive opt-in consists of someone taking an obvious and positive action to allow you to use their data. This could be a spoken or written statement, filling out a captcha, or any action that is clear and positive.
Also, individuals have to be given a genuine choice to opt-in. If they have no choice but to opt-in to reach content or unlock part of a service, then it’s not a real, genuine choice.
That being said, this positive consent is only binding if you keep a record of it. This record has to consist of a time and date, as well as the method used to opt-in and the details of the individual.
Any data that you have stored that doesn’t meet these requirements must be refreshed. You will have to get back into contact with these individuals and request their permission again so that their data is in line with GDPR requirements.
This covers the basics of GDPR, but there are other areas to consider. Depending on your business and the industry you operate in, you may have to tackle other rules that GDPR brings next year.
Make sure that your designed Data Protection Officer is well versed in the changes that GDPR will bring. They will be responsible for your organisation’s compliance and will have to assess, on a regular basis, how your procedures are handling these new rules.
If you’d like to talk about great marketing in a post-GDPR world, feel free to tweet at us (@weareredpepper). Otherwise, there are some amazing resources available online through the ICO and the UK government.