The new General Data Protection Regulation (GDPR) comes into force on May 25 2018. Despite this, many UK business are still confused as to how the GDPR will affect their business.
According to a statement by KMPG, 54% of companies still feel with less than a month before GDPR becomes legislation, that they aren't ready. A large number of businesses admit they haven't looked at third parties they work with for possible issues around compliance either.
So what does the GDPR mean for you, and how will it affect your everyday business such as holding personal details and card payment processing?
For companies with more than 250 employees, you'll need a privacy notice. You'll need to complete a data map of all the personal data you hold on customers and where it's located e.g. in a filing cabinet, an electronic database, or secure payment portal. You must then record how long the data will be kept for (you'll need to decide on the shortest time period possible) and a date when you'll delete it and also how you managed to delete it.
You'll also need to list how you'll protect your personal electronic data e.g. secure systems, secure payment processing, secure email, encryption etc.
You can no longer use automatic opt-in. Informed consent will need to be given to add personal details, customer databases and mailing lists. If you have inactive customers, who have not been in contact for a long period of time, you'll need to get them to agree that you can keep their details again by contacting them and asking them to continue to opt-in.
It would be beneficial for you to find a way of automating this for future customers who become inactive.
A customer can ask to be forgotten under the new rules. How easy would it be for you to now delete every record, document and email you have on a person?
Are you holding identifiable credit or debit card information? You need a way to ensure this is securely destroyed.
You can find out more about GDPR with this up-to-date guide on the Information Commissioners website.