GDPR is a new legal framework that builds upon the existing Data Protection Act and comes into force on May 25th 2018. GDPR is about creating a higher global standard for data protection, privacy and security. GDPR is complex: it contains 173 recitals and 99 articles that you can find on the European Commission website.
With May 25th just around the corner, we decided to ask SMEs how ready they are for the new regulation. The answers are below:
Considering GDPR is less than a month away, it’s quite surprising to discover that 31% are preparing for GDPR but panicking, 62% are preparing and on track, only 2% feel they are completely ready and 5% have not started yet! However daunting or scary GDPR is, we all must be proactive and start making the necessary steps to be ready for the deadline. See it as an opportunity to improve your internal processes and by doing so, you will increase the trust with your customers in the way you handle their data.
Legal grounds for processing data
To comply with GDPR, there are only 6 legal grounds to process personal data:
- Performance of a contract
- To comply with legal obligations
- To protect the vital interests of the data subject or other people
- To perform a task in the public’s interest
- Legitimate interest
You need to be clear on what the ground(s) are, and you must record it so that you can evidence it. However, when we asked people if they understood this topic, 65% of respondents said no. This is an important foundation of GDPR as without legal grounds, you should not process personal data.
We asked companies if they know what to do with their existing data from a GDPR perspective and 82% replied ‘no’. In data management you do not only need to think about legal grounds (i.e. do I have the right to have and process that data under GDPR) and what you do with the data your currently hold but also do you have the right to market to them? What do you need to do in order to ensure transparency with individuals regarding the use of their data? What processes do you need to have in place?
To have the right to process personal data you must identify the lawful basis / legal grounds under GDPR and to market to them you must ensure your marketing practices are compliant under the PECR and E-privacy regulations. The key is to establish a practical process to manage the compliance of your existing data like the one below.
Help is at hand
Make sure you are not running the risk of non-compliancy and keep well away from the hefty fines of GDPR. Review your data, review your processes, train and educate people and don’t forget that technology like CRM can help.
With CRM being the hub for personal data, it can be the foundation for many of those processes and evidence recording. We ran a GDPR webinar series to give practical advice and guidance on how to best leverage CRM to address some of the core elements of GDPR. You can access the recordings here.
We haven’t stopped there! To help you stay on track, we have created a 5 Steps GDPR Checklist that you can download here.