Preparing for GDPR: 10 Steps to Take Now for Subscription Companies
There are now fewer than three months before the EU General Data Protection Regulation (GDPR) comes into effect on 25th May.
Failure to comply can result in fines of up to €20m or 4% of global annual company turnover, so now’s the time to get started. These 10 key steps will help you get underway.
1 – Appoint a Data Protection Officer (DPO)
Appoint a Data Protection Officer (DPO), who can liaise with our in-house subject matter expert in preparation for data protection impact assessments (DPIAs). Your DPO can be an existing employee, but they should have professional experience and knowledge of data protection regulations and operate independently.
It will be the responsibility of the Data Protection Officer to advise your organisation about your obligations, to monitor compliance and act as the first point of contact for any data queries.
2 – Maintain Clear Record Visibility
You must maintain clear records of all personal data categories to show that explicit consent was given and prove what exactly the individual has consented to.
Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3 – Familiarise Yourself with Data Protection Impact Assessments
Where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals, the data controller is required to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
4 – Lawful Basis for Processing Personal Data
Identify the lawful basis for your processing activity in the GDPR and document it. There are six lawful bases for processing data under GDPR: consent, contract, legal obligation, vital interests, public task or legitimate interests. The basis you use will affect the rights of the individuals whose data you hold, so this should be clearly communicated in your privacy notice.
5 – Subject Access Requests
Under GDPR, individuals have the right to view their personal data and understand how it is being processed, to confirm that an organisation is handling it lawfully. Where an individual wants a copy of their data, they will make a subject access request, upon which you must provide the information free of charge without delay.
To prepare for this, update your procedures, plan how you will handle requests within the new timescales and provide any additional information.
6 – Data Breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. In the case of a breach, you must establish the level of potential risk to the rights and freedoms of the individuals affected and take appropriate action. High risk breaches must be reported to the lead data protection supervisory authority, as well as to the individuals affected.
7 – Determine Your Lead Data Protection Supervisory Authority
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this. For example, businesses based in the UK, or who carry out much of their EU data processing in the UK, will be guided by the Information Commissioner’s Office (ICO).
8 – Explicit Consent
Obtain explicit, specific opt-in consent from data subjects. It should be clear what individuals are opting in to and they should need to actively give their consent – pre-ticked consent boxes are no longer acceptable.
You must offer the right to be forgotten or the right to withdraw consent at any time. The withdrawal mechanisms must be as easy to navigate as it was to give consent.
9 – Buy-in a Compliant Data Processor
With an existing framework built on PCI-DSS Level 1 compliance, MPP Global has leveraged existing processes and functionality to adhere to GDPR requirements and treat personally identifiable information (PII) with similar standards to PCI data.
All data held in the eSuite platform on our client’s behalf is secured to the same level as sensitive payment data. eSuite’s data and security standards protect the privacy of personal data and offer clients the assurance needed for such changes.
Therefore, using an industry-leading solution such as eSuite can drastically reduce your PCI and Data Protection obligations, reducing the CAPEX required to gain compliance and the OPEX required to maintain compliance.
10 – Data Exports
GDPR requires clear processes to view and export data. Reports that contain PII will be transferred securely, server-to-server, to an approved list validated by the clients’ DPO to those with sufficient permissions.
If you haven’t already started taking the steps above to become compliant, you’re behind the curve and running out of time. For more detail on how GDPR will impact your business, download our Complete Guide here.