This blog was originally published on LinkedIn on 18th January 2018.
GDPR will affect every aspect of business, from operations to sales, marketing and your supply chain. Nothing will be exempt from the scrutiny of the Information Commissioners Office (ICO) and understandably businesses are worried. The only thing that has yet to be made clear is the consequences of non-compliance.
What we aim to make clear is how GDPR will affect the supply chain and how you can prepare for its implementation. So if your client asks “Are you GDPR compliant?” on May the 25th you can confidently answer yes. These regulations may seem frightening at first but they also provide an opportunity - companies that are well prepared for GDPR will have a distinct competitive advantage over those that are not.
GDPR introduces a new principle to the management of personal data, the principle of accountability. It isn’t enough to merely comply with the new regulations, instead, you must be able to demonstrate compliance with the regulations. If asked you must be able to prove the governance measures you have put into place in order to adhere to the regulations, showing the measures taken to ensure data compliance has been integrated into data processing activities at all stages. Here are six activities you can carry out to ensure compliance:
If you receive data or outsource your data processing, you will be required to ensure that there is compliance throughout your supply chain. This means it is vital to perform an audit of how your data is collected, where it is stored and what it is used for. Work with your IT department to find out what data you are currently storing, where it has come from, what are you using it for and who you are sharing it with. If your data flows through the supply chain you need to ensure every company that touches your data is GDPR compliant and asking them the question isn’t enough. They must provide a clear outline of what measures they are taking to ensure the protection of your consumer’s personal information.
Identify contact risk areas
Once you have completed your audit you will have a clearer perspective on where data enters and leaves your organisation. If there are any contracts that appear risky, ask them how they plan on preparing for the regulations or begin sourcing alternatives. Some companies will take the impending regulations more seriously than others, make sure you use companies that care. If you are working with a partner that isn’t taking it seriously then you are both liable under the regulations.
Compliance is not a one-off occurrence, and it is up to you to ensure everyone that touches the personal information you manage are always GDPR compliant. But how you monitor this is up to you, it is worth considering ways to ensure they are compliant and ways to do this include audits and spot checks for key suppliers.
Practice your response
If you are storing personal information on prospects or clients then under GDPR they can request to have their information forgotten. These requests must be processed within 30 days, without exceptions, regardless of the complexity of your supply chain. Work out who your contact would be at each of your suppliers and who you would need to communicate with to satisfy any requests. Failing to prepare, is preparing to fail.
Spread the word
Having the right strategy in place is vital, but it can be worthless if your employees are not aware of how to manage data and how your processes will change going forward. Make sure the team of people who manage data and liaise with suppliers are aware of the new rules and how it will affect their roles. These individuals will be key in ensuring your compliance and in removing any data if requested.
Check with your existing insurance supplier if they cover data protection and security breaches. If not you should review your options, some insurers will even cover breaches by suppliers so it is very worthwhile doing your research.
Taking key steps to prepare for GDPR is extraordinarily important and although time-consuming now, could save you considerable fines in the future. To learn more about the implications of GDPR or to get in touch with one of our experts, please get in touch.
|Click here to see Andrew's profile and contact details.|