GDPR: 7 business changes you really need to make

1. Review what personal data you collect, where it is held, who you share it with, and when it is deleted.  

2. Develop a data strategy.  Consider what data you really need to hold and how long you need it for.  Conduct a risk-assessment as to where the risks of data breach are and what you can do to minimise that risk.  Develop a plan as to how you will deal with a data breach in the future, and how you will assess whether a breach needs to be reported to the ICO.

3. Consider whether you need to appoint a Data Protection Officer.  Even if you are not required to do so, assess whether it will be beneficial to have some nominated individuals to have internal responsibility for data compliance.

4. Update your privacy policy to comply with the additional information requirements of the GDPR, and make sure it is available on your website.

5. Check how you gain consent and update your T&Cs.  Most businesses currently collect marketing data from any individual they deal with who fails to “opt-out” from such contact.  Going forward consent must be “explicit, freely given and informed”.  Your T&Cs should be updated to provide that individuals must opt-in to be added to your database.

6. Cleanse your database.  If you have relied on opt-out or “passive” consent to contact people in the past (e.g. for marketing purposes), you need to get fresh consent from those in your existing database.  Do this sooner rather than later and beat the rush.

7. Educate and train your staff on the GDPR. Make sure your staff know what your internal policies are, who to go to with a data problem, and how they need to deal with requests to be forgotten and subject access requests.