Is GDPR Self Certification possible?
The General Data Protection Regulation (GDPR) will become law on 25 May 2018. It is the first major overhaul of data protection in the UK for 20 years. The purpose is to:
Give data subjects more rights to their information.
Have more transparency regarding what organisations and companies are doing with their information.
Ensure that any organisation which collects, handles or shares personal data does so with a clear and lawful purpose.
The major changes in the new regulation have caught many off guard. The rules under the current Data Protection Act 1998 (DPA) can be seen as arduous, so some organisations may not be fully informed about the requirements of the law and could have been breaking the regulations without realising it. The new laws within the GDPR will seriously impact the way an organisation communicates with their audiences, how they process data and who they share that data with.
The GDPR aims to give clearer guidelines for communications, such as consent-based preferences for data subjects; organisations won’t be able to communicate with their customers, members and supporters without a good and lawful reason. There is also the potential for hefty monetary penalties to discourage offenders from taking any chances with personal data, let alone the horror of having your reputation ruined by a newspaper headline. Penalties will be rising from a top limit of £500,000 to an incredible £20 million. The supervisory authority in the UK, the Information Commissioner’s Office (ICO) will have new powers, such as the right to enter premises, the right to audit at any point and the right to reprimand organisations. Interpreting the new rules to fit your special circumstances is vital to maintain growth in your organisation.
The GDPR positively encourages organisations to appoint a Data Protection Officer (DPO), regardless of any mandatory need. You’ll definitely need a DPO if your organisation employs more than 250 employees, processes large volumes of data or collects special category data. Without a DPO, someone within the organisation must have the responsibility of ensuring that compliance is achieved and maintained. In short, a GDPR champion should be appointed. Smaller organisations, or organisations processing lower levels of data, will still need to appoint a Data Controller. This is the person who takes responsibility for data on a daily basis – what is collected, why, who it’s shared with and how long it is kept.
The Data Controller is likely to be handling the data held by the organisation already, appointing processors and keeping things up to date. The Data Controller will need to familiarise themselves with the new rules quickly and implement new tools that can be used to facilitate and support their role in order to guarantee their organisation is managing their data in the manner the laws of the GDPR require.
The first step towards compliance is to build policies for your organisation that comply with GDPR. Self-Certification offers a simple and cost effective way to do this. For example, ClearComm can provide organisations with a Self-Certification Online Portal system which boasts a number of different features to assist the compliance process and ensure that an organisation’s transition to compliance is in line with industry-approved standards. The portal is dynamic to ensure that any new information or changes to the law are immediately available for users to see and, subsequently, action any necessary alterations. The portal includes templates for policies and procedures, online training modules and consultancy assistance to the person in charge of data.
The journey towards compliance should not be feared. There are some really positive aspects of GDPR which will help organisations look at refreshing ways to engage with their audiences and could potentially unveil major cost savings. Many organisations spend sizeable portions of their budget marketing to their target groups, much of which is wasted by using out-of-date data. Keeping inaccurate data is a waste of time; closely assessing your data population to check it is right is common sense and a great discipline.
Other benefits of the GDPR:
Relationships and better transparency – The GDPR demands that every organisation must be able to demonstrate that it processes data fairly. By demonstrating this to customers, supporters and members’ organisations create better and stronger relationships, with more longevity.
Data protection by design – Data protection should be an integral part of your organisation. All stakeholders, from staff to customers, will see the difference and understand the value of protecting data.
Complaints and organisational challenges – Along with GDPR, compliance will result in fewer complaints. Data subjects will trust organisations with their personal information and, because the conditions for delivering communications will be right, they are more likely to accept them. Without these challenges, organisations will have more time to deliver their core objectives.
Refresh procedures – The GDPR is a chance to refresh the way things are done and ensure your policies and procedures are right, lawful and future-proof. Take the opportunity to create clear and easily understood processes for staff, customers and supporters.
Security – Checking data security has always been a must, but this is a great opportunity to make it robust and fit for purpose. It will be money well spent.
We believe that, ultimately, data subjects will recognise that their data has been treated with respect and this will result in a much better and more transparent relationship with the organisation.