Six Practical Steps To Comply With The GDPR
Introduction
There is a lot of scaremongering going on around the General Data Protection Regulation (GDPR) - mainly to do with the level of potential fines.
The GDPR allows for fines up to 20 million Euros or 4% or annual global turnover whichever is the greater.
Fines are (and will continue to be) a last resort, and are reserved for the worst (and in some cases persistent) offenders. However, many of the largest fines have been for data breaches, not illegal collection and use of data by companies.
So here are some practical steps to comply:
1. Appoint a Data Protection Officer (DPO)
This needs to be a senior management or board-level appointment. This is not a tick-box exercise. It should be someone who will get the job done and take a multi-disciplinary approach. Data protection works across all parts of an organisation - employee data, customer data, IT systems, security, marketing etc. In larger organisations, this is a separate board-level post with access to all parts of the business where there is a potential risk.
2. Data Protection Policy
Download and use our Data Protection Policy. All employees need to read this policy and then complete the attached consent form - no exceptions. For a complete solution please, see our Employers Pack - Staff Handbook
3. IT Systems
Make sure your IT systems are running the latest versions of any software and that all security patches are applied - and that there is a system for regularly doing this.
All computers, but particularly laptops should be password protected and should have properly encrypted drives. Easily guessed passwords should be a disciplinary offence. The same applies to email accounts and online backend services used by employees. All phones should have password or biometric protection; this includes personal phones that have access to work email and work systems.
If your staff travel a lot use virtual private networks (VPNs) to access work email and systems. A VPN creates a secure connection when using public wifi or other third-party wifi. We would also recommend the use of two-factor authentication (2FA) when logging into any organisation accounts or email. 2FA should be used by all employees, and any third-parties allowed to access data the organisation holds.
4. Proper IT Training
All members of staff (this includes senior managers and directors) must have practical IT training. For example, not clicking unthinkingly on every attachment or link that arrives in your email inbox. If you are not expecting an attachment - think before opening it. As email addresses can be easily faked, don't just look at the email address. Don't reply to the email, call the person (if you know them) - otherwise bin it.
Too much?
Well, Hilary Clinton's 2016 presidential campaign faltered because hackers compromised one email account using a basic phishing attack - that account led to an address book containing email addresses for most of her senior staff, that led to more targeted phishing, so-called "spear-phishing". The rest is painful history.
This not only applies to data - phishing attacks using fake email addresses can be used to send fake invoices or requests for "urgent payment". These are known to arrive on Friday afternoons or during school holidays as bosses can be away, and it all seems more plausible.
The bottom line is that you can have all the best policies, procedures and technology in place, but untrained or poorly trained staff render it all useless.
5. Email Marketing Lists
If you have purchased any email marketing lists in the past, don't do it anymore. If you currently use purchased marketing lists - stop doing it now. Third party companies can swear that everyone on the list they sell you has opted-in - but how have they opted-in to receiving emails from you? (you just bought a list).
You should only use email lists of people who have explicitly opted-in to receiving emails from you. This must be opt-in - they ticked a box to be on your email list.
From a practical viewpoint avoid pop-up windows on your site asking people to subscribe. If visitors are using a mobile, it can be difficult or almost impossible to find the cancel button in the corner to close the pop-up. This annoys potential customers and risks them shopping elsewhere.
Also, all marketing emails must include a clear and working unsubscribe link. Plus, when a person unsubscribes make sure they are removed automatically and promptly from your marketing list. There is nothing more annoying than taking the time to unsubscribe and then to still receive further emails from the same organisation.
Do not sell, trade or swop your email lists or any other customer data.
6. Passwords & Two-Factor Authentication
Passwords should be regularly changed and should be a mixture of numbers, letters (upper & lowercase) and symbols. We would say a minimum of 7 characters long. You can also get software packages or apps to generate and securely store passwords these products can create random passwords of 21 characters or more. We would also recommend the use of Two-Factor Authentication (2FA) as entering an extra time-sensitive code provides a very effective extra layer of security.
Conclusion - Data Is Money
Data is the new money - hence the GDPR. You should guard your data to comply with the Regulations, but also to reassure your customers, keep them loyal and protect your reputation. It is a change in mindset, but over time it will reap real commercial and sustainable benefits.
Employers Pack - Staff Handbook
Data Protection Policy