The easiest way to check if your company is GDPR-proof
A few months ago, GDPR came into our lives. To my surprise, many organisations aren’t ready for this change or have no clue what to do next. So I ask you: is your company GDPR-proof? If you find yourself struggling with one of the following topics, you may not be ready yet. You may need some help to get your company GDPR-proof. In this article, I set out four important questions and answers to clarify this big change.
Does GDPR affect my company?
GDPR applies to every organisation in the world that processes data from citizens of the European Union. The Regulation also applies to any data transferred outside the EU, regardless of where your organisation is established.
For example, if you are a consultancy agency based in the United States and you are working with data from European citizens, your marketing efforts need to be GDPR-compliant.
Can you show a proof of permission?
For example, if you use MailChimp for email marketing you can rely on their updated sign up forms. MailChimp uses GDPR-fields which include checkboxes for opt-in consent and editable sections that allow you to explain how and why you are using data. MailChimp also stores your forms and contact data in case you need it in the future.
Can you forget your customers?
Since GDRP, customers have the right to be forgotten and to have their personal data deleted. They can also demand that organisations inform all others with whom their data has been shared that this data must be deleted by them as well. Customers also have the right to data portability. This means that they must be able to request their personal data from organisations in a standard format, enabling them to easily pass on the information to similar organisations offering the same products and services.
For example, Evernote implemented a process to support their users in accessing or exporting their personal data. On their website they explain what they are doing for GDPR, how they are using your data and how you can contact them for more information and how to manage your information stored in Evernote.
Does your company need a data protection officer?
A data protection officer (DPO) must be appointed in certain cases. This is an security leadership role required by the GDP. They are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. This rule applies to government bodies and public organisations, to organisations that follow individuals on a large scale, and to organisations that process special personal data, such as data about health, race and political views.
What to do next?
I can almost hear you think: “How do I comply with all these requirements?” First of all, make sure that your privacy and cookie policies are in order. After that, you might need to enter into so-called processing agreements with parties who process data on behalf of your company. You might also need to maintain a record of processing activities, so you can share the information with customers who have the right to know what is happening with their information.
If you don’t have a plan for GDPR implementation yet, don’t know where to start, or if you just have a question about the implementation of the GDPR, let us know. We’d be happy to schedule a free GDPR check. We’d be happy to help you.
+31 (0) 20 334 3749 (IBI office)
Weesperstraat 61, Amsterdam, The Netherlands