The imminent GDPR implementation, starting on 25 May 2018 will be “the biggest change to data protection law for a generation” according to Elizabeth Denham of ICO (Information Commissioner’s Office).
The GDPR creates a single set of data protection rules, applied to all EU member states, with the aim to empower the customer. As a result, businesses need to carefully monitor how they collect and use personal data and clearly understand what they do with it. In other words, establish concise data mapping and comprehensive practices, according to new law.
“Look at activities across the business – both internal and customer-facing. Look at what data you collect, how you’re using it, and who has access to it”, says James Clark, a data protection and privacy lawyer (Tech North).
The ICO issued earlier this year a guide of 12 preparation steps for businesses towards the implementation of GDPR. We focus on the steps entitled the “Information you hold” and “Consent” as they seem of particular importance to startups.
“You should document what personal data you hold, where it came from and who you share it with. The GDPR updates rights for a networked world and requires you to maintain records of your processing activities”.
The GDPR essentially gives the power back to the customer, to fully control their data. Therefore, acquiring customer consent that is freely given, specific, informed and unambiguous, should become an essential practice (Preparing for the GDPR).
Startups should provide simple and transparent solutions, that inform their customers about company data practices and their rights; such as the right to be forgotten, the right to access the data, or the right to object ‘profiling’.
Depending on the type of business some parts of the GDPR may have more of an impact, such as the use of children’s data. Mapping out what is most applicable to your business model, is a good starting point.
Finally keeping the customers experience positive and appreciating their will and concerns, should be the “business as usual” strategy.
The Information Commissioner’s Office
The EU’s data protection website