The introduction of GDPR regulations presents a number of challenges and opportunities for businesses over the months before it becomes effective in May 2018.
Cantata is already working with a number of clients to ensure a smooth and compliant transition for their business. With this experience, we thought it was useful to publish a series of blogs over the next few weeks highlighting key challenges and experiences which may be useful to others.
The series of articles is planned to contain the items listed here but may be amended as experiences are shared and further clarification is issued. The articles are general guidelines to aspects of the legislation and business impacts based on the current understanding of the Cantata team. Nothing in the articles should be relied upon as a definitive statement of legal position.
For now, the key point to remember is that GDPR is primarily a business challenge rather than a technology one, although we have seen how it can have significant implications for our clients’ technology base. As ever, your systems are there to support and enable the business function not to lead it and you will need processes and training – potentially also introduction of new roles in the organisation – quite separate from any technology changes.
The start point for most organisations is simple – understanding what data you hold and why you hold it. Surprisingly few are currently clear on this and it makes a massive difference to the approach to achieving overall compliance with GDPR so make this top of your priorities for 2017 to enable whatever is needed in 2018
Topics in this series of blogs will include:
The GDPR regulations apply to any organisation providing goods/services inside the EU which store and/or process personal data and sensitive personal data be that in electronic form or paper filing systems. GDPR applies to data held by or processed for not-for-profit and charitable organisations as well as more commercially focussed ones and to data held for all purposes.
If you are storing, collecting, using or deleting personal data about your individual customers, staff, members, supporters, suppliers, or any other contacts, including individuals who work for organisations you deal with you are processing personal identifiable information. GDPR regulations do not only apply to data used for Marketing purposes – and they extend the definition of personally identifiable data to sole traders and partnerships as well as individuals.
If you are or sharing or transferring such data to other organisations you need to consider the additional requirements to cover this aspect of the regulations.
Further, if the information you hold and process includes sensitive personal data you need to consider the additional responsibilities which apply. Sensitive personal data is described as information on:
It’s worth looking at why you hold this data and the additional value you may derive from it.
There’s been much talk of the need to get explicit customer consent to hold data – and it’s important to do so in most cases but there are exceptions for data which is essential for specific purposes outlined below. But don’t assume you can then use that for any other purpose!
“Legitimate reason” covers several circumstances where it is essential to hold and process personal information.
It’s wise to consider that you will need EXPLICIT consent to hold and use the data – and this is very different from the historic approach to data gathering in many organisations.
Future posts will review what consent really means and how to approach gaining the agreements you need.