You've probably heard the term GDPR being waved about a fair bit by now (if you haven't, then you should definitely continue reading this article).
It's a pretty big deal for most businesses across Europe, so our Chief Operating Officer, Dan Arthurs, has put together some information on how the new legislation will impact service-based firms like yours (and ours). This article covers:
What is GDPR
The General Data Protection Regulation (GDPR) is a new, EU regulation which becomes enforceable on 25th May 2018.
If you're UK-based, you still need to pay attention to GDPR as it's due to come into effect 10 months before Brexit. So it's unlikely anything significant will change after Britain leaves the EU. Particularly due to the fact that the UK have had significant input into defining GDPR in the first place.
The main purpose of GDPR is to protect the personal information of EU citizens.
So if your company holds personal information on anyone living within the EU - whether that be names, email addresses, phone numbers or other sensitive information - then that data needs to be handled in accordance with GDPR.
I suspect the majority of organisations will be holding some level of data of this nature, so it’s really important that you understand the obligations your business needs to follow once GDPR kicks in.
So what exactly do you need to know about GDPR?
- The fines are sizeable: up to €20m (£17.25m) or 4% of your previous year’s global annual turnover (dependent on which figure is greater).
- Consent: unless you have a lawful reason to be processing someone's data, you must be able to prove that you have explicit consent for the type of processing you are carrying out
- The right to be forgotten: you must remove or sufficiently anonymise the data you hold on any individual if they request that their information is deleted
- Subject Access Requests: there are new, reduced, time limits and you can no longer charge people to provide them with the information you have about them
- Data Breach Notifications: you must notify the ICO within 72 hours of becoming aware of a data breach which poses any risk to the rights of individuals
- Privacy by Design: the protection of individuals data must be considered throughout the whole lifecycle of any process which involves the processing of personal data
- In certain cases, you MUST hire a Data Protection Officer (DPO)
- Both data processors and data controllers have equal responsibility in ensuring data is handled in accordance with GDPR
What we're doing about it
Updated May 2018
Here at CMAP we see the new GDPR regulations as an opportunity to review our current processes, particularly from a data & privacy point of view.
We're also using it as an opportunity to take stock of where we can improve efficiencies in the software itself.
As you know by now, GDPR protects the personal information of individuals.
However, CMAP clients would probably agree that certain forms of data held within CMAP are more sensitive than the names and email addresses of employees.
So we're ensuring that all data (deemed as sensitive) is handled, stored & processed as securely as possible by making the most out of the latest technologies and sound internal processes.
We've already completed an organisation-wide data audit. Which means that we've documented every type of data we store and use on a day-to-day basis: so far we've interviewed every member of staff and have even documented the notepads used by the QA team.
Changes to CMAP
We've already had a number of clients asking about GDPR, particularly around the impact it will have on CMAP's functionality.
As of May 2018, we've launched new functionality within CMAP that will ensure everyone using CMAP is GDPR compliant. These changes include:
1. The ability to delete contacts
Previously, contact records were simply archived when deleted from a CMAP account. This ensured that the corresponding project data (i.e. projects, invoices & activities) was still visible.
As part of the new GDPR legislation, we've introduced a permanent delete function.
This will permanently remove any deleted individual's contact records will from CMAP's databases.
However, dependent project information will be retained and completely anonymised.
The permanent delete function will only be accessible by CMAP users with 'full control' security permissions within an organisation, as once a record is deleted, it will now be completely irretrievable.
In support of this, we have now cleaned out all CMAP Databases by removing all previously archived contact information, meaning archived data will no longer appear on project information for existing users.
2. Contact Preferences
In some cases, you may have contacts who may not wish to be contacted by your organisation through email marketing, but you may also have a valid reason for processing & storing their personal data.
In this case, you're now able to record if an individual does not want to be contacted via their contact record in CMAP (under Actions > 'Set Contact Allowed' to No).
To support this, we've updated the 'Email Marketing Status' panel in CMAP to 'Contact Preferences', where the preferences of each of your contacts are now fully visible.
3. Showing contact added/updated dates
Another update to the Contacts area of CMAP means that you can now see the date a contact was added to CMAP, when the contact record was last updated and by who.
This information is now visible for every contact stored by your organisation in CMAP. Meaning you have a clear, referenceable paper trail for each of your contacts.
If you have any concerns over CMAP's functionality in relation to GDPR, feel free to give our support team a call. You can also read a more technical overview of these changes here:
How you can prepare
Hopefully GDPR isn’t news to you and you're already well on your way to accounting for the changes.
But according to the latest survey, there are very few organisations who are actually GDPR compliant right now, some haven’t even started considering it yet.
So I thought I'd share some of the tasks we've undertaken ourselves (so far) to help us on our journey to GDPR compliance. Hopefully you'll find them useful too:
- Ensure your board/management team are aware of GDPR and its requirements for compliance. It really isn’t just a job for the IT department.
- Work out where all of your data is held and how it's processed across your organisation (i.e. spreadsheets, software, email etc.). This is particularly important if the data relates to personal information.
- Ensure there are adequate processes in place to keep that data secure. If there are gaps, it's worth looking into how you can fix them.
- Review and update your Privacy Policies, as well as any contracts you have with your clients. It is now everyone’s responsibility to ensure protections are in place to keep data secure.
- If you share data with 3rd party providers speak to them to make sure they are also working towards GDPR compliance. Ask them to provide you with updated contracts that stipulate they have the necessary protections in place.
- Check that you have the means to detect data breaches in your business, make sure you have a policy in place to notify the ICO and those impacted if required to do so.
- Educate your staff. Make sure everyone in the company understands what is required of them when it comes to handling sensitive data. Update your internal policies and processes to make this absolutely clear to them (and new starters).
I appreciate this may not have been the most compelling of reads and it does seem like GDPR is just another piece of red tape.
The good news however, is that GDPR shouldn’t be too difficult to adapt to. It forces organisations at all levels to be mindful of how they are using, sharing & storing personal information, which can only be a good thing. Right?
If you'd like to find out more about how GDPR is going to affect your industry, I've included a few useful links below: