GDPR (General Data Protection Regulation), it’s an acronym that if you run a business you will have heard of. If not you better get researching, by May 2018 new legislation will be coming into force that will change the way we need to inform our customers about the data we store as well as giving Mr and Mrs Public far more concise rights to that information, including the right to be forgotten. In this blog I don’t want to talk about what GDPR is, there are plenty of blogs out there that already do that very well, no here I want to talk about the steps Utopia has taken to ensure my team and I are ready for May 2018.
I’ve broken down Utopia’s progress to being GDPR ready into 6 basic steps and listed them below.
As a team we looked and GDPR and I nominated myself as the lead for ensuring Utopia was GDPR ready. I also got the shiny new title of DPO or Data Protection Officer. While it’s not necessary for Utopia to appoint a member of the team as a DPO we felt it was best to have one person owning this area as it represents best practice.
We audited the data we currently had on record. Was it accurate, where was it kept and had it ever been shared? This included any data stored in backup and on the cloud. During this process I deleted old databases, records and even individual fields that were no longer required. Moving forward we need Utopia to only be holding the data we really need.
We created a Standard Operating Procedure for what to do when a request for data arrives from a customer. This could be to find out what data we have on record or even to be removed entirely from our records.
We audited the Utopia website which is securely hosted in the UK, looking specifically at what data it was collecting. We wanted to confirm that it was it clear as to why data was being asked for as well as ensuring it was easy to opt out of communications. The answer on first looking was, in truth, not entirely. We now have implemented little pop outs to show why we ask for the information requested, and have ensured it is now easy to opt out of marketing communications. I have illustrated the data pop-outs below:
This is a snip from our new Checkout page. We have implemented pop-outs to explain why we ask for data. We have kept the language used here in line with the friendly voice and tone we use throughout our website.
We updated our policy on data breaches to ensure we can let the Information Commissioner’s Office know of any breaches should they ever occur. It’s worth highlighting at this point that Utopia is in the process of being awarded our Cyber Essentials certificate and we take Cyber Security extremely seriously.
I have to repeat that this is by no means a guide to being GDPR ready, being ready will be different for each and every company and it’s best that you take professional advice on what your individual requirements might be. The complete process Utopia has went through covers over 70 aspects of the business, with this blog I simply wanted to share a synopsis of some key points as well as inviting feedback on your experience of GDPR. One thing we have learned while going through this process is that while there are many people talking about GDPR, even solicitors sometimes come unstuck with some of the trickier intricacies of the requirements. Nobody seems to be an expert just yet.
09/11/2017 – Update
While attending a Network Group event yesterday (8/11/17) I learned that the DPO should not be someone who is on the board of directors of the company that the DPO is responsible for. Oops! I will be looking in to Utopia’s options and report back once we have found our solution to this and I think this is a great example of how we are all learning about GDPR in greater detail every day.