Ready for GDPR? Here’s 3 Simple Readiness Checks

In light of recent studies, where 74% of UK SMEs reported to having at least one data breach in 2015, the compliance of both outside platforms and internal practices are coming under question more than ever before.

However, although many businesses across the UK may assume that their procedures are already GDPR-compliant, the consequences of continuing data handling practices that may lie outside of this framework not only warrant closer inspection; but may also be grounds for re-evaluating platforms of existing platforms and providers.

If you are looking to ensure that your business is ready for GDPR, here are three simple checks you can make starting today:

First things first: Register with the ICO

This may be an obvious step to some, but according to our own experience, the simplest yet most effective step in getting your business GDPR-ready is to register with your ICO.

If you suspect that the existing data handing practices within your organisation may be subject to this new GDPR framework, make sure to register as a data controller with the Information Commissioner’s Office.

Depending on the status of your company, although the ensuing steps may not be required, completing your registration could be the simplest way to confirm exemption from the beginning; where failure to do so could be classed as a criminal offence if your organisation is discovered to be non-compliant at a later date.

Privacy Compromised, or Data Protection by Design?

In evaluating whether your company may be exempt from GDPR intervention, you may want to consider whether your product or service integrates ‘data protection by design’:

This means that, if procedures behind your own data flows or other providers such as affiliated LMS platforms unnecessarily extend the retention-time of personal data such as contact information, intervention will most likely be needed.

If your organisation is currently interfacing with an LMS platform without existing measures such as blockchain technology to ensure GDPR compliance, the two simplest criteria you can use to test today are: ‘the right to being forgotten’, which is now extended under GDPR to require every data controller to actively delete private data; and the test of ‘data portability’, which requires organisations to ensure accessibility of this data through a flexible multi-platform medium.

Consent Confirmed- Not Assumed

As well as seeking the positive signs of GDPR compliance such as cross platform data accessibility, and assessing whether data from mediums such as an LMS platform minimise the retention of personal user data; one of the best signs for predicting compliance is your method of obtaining opt-in consent:

Under this new upcoming legislation, consent can no longer be assumed by LMS platforms and other providers, but also needs to be specific, referable and unambiguous at the time a user of any data platform is added.

Furthermore, when it comes to obtaining consent for data that may be exposed to minors, ensuring compliance will most likely require an updated procedure: for example, although the procedures surrounding most platforms may be based around the UK Data Protection Bill that requires consent from a guardian for children under the age of 13; under GDPR, this age is raised to 16.

Conclusion

Overall, although these three checks are the simplest way to confirm compliance as you ready your organisation for these changes in legislation; perhaps the broader check made by a company seeking a new LMS partner in 2018 will be whether this rapid commitment to ensure compliance will come at the expense of their user experience:

Conversely, as an already-compliant LMS platform, Qintil has the unique opportunity to take the resources that would otherwise be committed to readying this compliance, and focus instead on readying our user features for a 2018 learning environment.

References

[1] Anand, A. and Van Dyck, P. (2017). The EU General Protection Regulation. Allen & Overy, 1(1).

[2] Buttarelli, G. (2016). The Impact of the General Data Protection Regulation on collaborative science in Europe and the European Cloud Initiative. ISC Intelligence & Science Seminar, 1(1).

[3] Impact of EU General Data Protection Regulation (GDPR) on marketing in financial services in the UK. (2015). EU Compliance Ltd, 1(1).

[1] Anand, A. and Van Dyck, P. (2017). The EU General Protection Regulation. Allen & Overy, 1(1).

[2] Buttarelli, G. (2016). The Impact of the General Data Protection Regulation on collaborative science in Europe and the European Cloud Initiative. ISC Intelligence & Science Seminar, 1(1).

[3] Impact of EU General Data Protection Regulation (GDPR) on marketing in financial services in the UK. (2015). EU Compliance Ltd, 1(1).