Blog: 21-05-17

GDPR In the Channel....how you can prepare for May 2018

GDPR - how does it affect you?

GDPR (General Data Protection Regulation) is an acronym that you’re probably familiar with by now, right? You must have seen it even if you’re not entirely clear on what it is. In particular, here at purechannels we are having conversations on a daily basis about how we can help all types of organisations in the channel.

Grab a cuppa and have a read of our quick and helpful guide. Over the coming weeks, we’ll be posting a lot more information to help you understand and prepare for GDPR, May 2018.

Firstly, you need to be clear about what GDPR is and what it means for your business.

What is GDPR?

On the 25th May 2018 GDPR will be enforced. The regulations are an extension of the DPA (Data Protection Act) and will protect customers as well as give them greater power over the data that businesses hold on them.

With greater security threats and breaches occurring all too frequently, you will be required to handle customer data extremely carefully and be seen to be doing the maximum to avoid data breaches and cyber-attacks.

Lack of compliance could mean fines of up to €20 million or 4% of your previous year’s turnover, whichever is the greater.

Will it affect you?

If you work in B2B, then don’t expect to get away without being compliant. GDPR is the most significant law that has been enforced over the last 20 years, and will affect every business big or small across 28 counties in Europe as well as anywhere else which handles personal data on EU residents. Now is the time to take the necessary action to stop non-compliant data activity occurring in your business, which could result in you facing these crippling fines. In addition, you’ll need to look at how compliant the organisations are in your channel; vendors, distributors and the partners you work with.

Why should I bother?

Under the new GDPR legislations, businesses will have 72 hours to notify and communicate any breach occurring. Failure to do so could cause your business to receive the maximum fine of €20 million or 4% of last year’s turnover, whichever is greater.

Businesses, especially those large enough to operate a procurement department, will be looking to work only with companies that are GDPR compliant, which could result in the loss of business for some, but opportunities for others. This is of particular relevance in the channel and supplier engagement.

The 12 steps

The following simplified 12 steps are a great starting point to compliance, which should be considered now.

1. Awareness - Decision makers and key people in your organisation should be aware that the law is changing with regards to GDPR and what the implications of doing nothing are.
2. Information you hold - You should document what personal data you hold, where it came from and who you share it with. An information audit may be the simplest and quickest way to achieve this.
3. Individuals’ rights - Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
4. Communicating privacy information - Put a plan in place for making any necessary changes to your current privacy notices in time for GDPR implementation.
5. Legal basis for processing personal data - Look at the different types of personal data you hold, understand your legal basis for carrying it out and document why.
6. Data breaches - Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
7. Data Protection by Design and Data Protection Impact Assessments - Review the ICO (information Commissioner's Office) Privacy Impact Assessments and how and when to implement them.
8. Consent - Review how you are seeking, obtaining and recording consent and whether you need to make any changes.
9. Subject access requests - You should update your procedures and plan how you will handle requests by individuals for data you hold about them. The requests will need to be turned around much quicker, as well as providing more information.
10. Children - Consider putting systems in place to verify individuals’ ages, as well as gathering parental or guardian consent.
11. Data Protection Officers - You should designate a Data Protection Officer to take responsibility for data protection compliance and assess where this role will be within your organisation or outside.
12. International - If your organisation operates internationally, be clear about which data protection supervisory authority you come under.

Recommendation

With almost exactly 12 months to go, there are some big changes to consider around how you handle, store and manage personal data, as well as the vendors and suppliers you interact with.

It is best to seek some expert advice on the matter to understand exactly what the implications are for your business, given the potentially high fines.

There are some significant implications on your business too, and we will be covering these in future blogs. This week we will start our “12 months to GDPR countdown”… so watch out for that too.