This Website Uses Cookies. Cookies are small text files held on your computer. Cookies will never contain any personally identifiable information. You can delete and block cookies but parts of our site may not work without them. We use cookies in order to deliver the best possible service to you and to provide a secure and effective site service for users. By using this site, you agree that we may store and access cookies on your device. To find out more about how we use cookies and also how you can change your cookie settings, click here.

Hide this message

5 tips to get ready for GDPR

Print page

The rules about processing peoples’ personal data are undergoing significant change this month, with the implementation of the EU’s General Data Protection Regulation (GDPR) in Europe. The new law puts in place a uniform set of rules for processing personal data across the EU and beyond.

With stiff penalties for failing to comply, it’s important for any organisations that handle personal data to be ready for the new rules. While we aren’t lawyers, and this isn’t substitute for qualified advice, we’ve highlighted 5 tips that could help you to comply with GDPR.

Tip 1. Know what data you’re dealing with

A good first step to making sure you are doing the right thing with personal data is to take some time to think about all the different types of data you collect, what you do with it, and why you need it.

For example, you might have an email newsletter sign-up form. Think through all the information it is collecting, and why. Also think about other areas where personal data is being processed (which includes simply storing it). Staff HR data, customer databases, mailing lists: the list can go on, but once you know where you are, it will be easier to understand what you need to do to protect that data and comply with the law.

Tip 2. Reduce the data you handle

After you’ve got a good picture of what data you’re collecting, and why, you should think about whether it really needs to be collected. One of the key principles of the new GDPR rules is that data is, “adequate, relevant and limited to what is necessary”. In short, if you don’t need to collect a particular piece of personal data, don’t collect and keep it. For example, perhaps someone’s street address or phone number are not necessary for sending an email newsletter.

Tip 3. Get consent

One of the key things about the new data protection rules is the importance placed on ensuring that you have permission to process personal data. There are several different grounds for permission to use personal data, but in many cases, you will need to get permission from the individuals whose data you want to handle.

We’ve all been through this; you buy something online or make an account for a website and have to tick a box to say that you consent to receive marketing communications.

What is important about GDPR, is that you have to make sure that people can opt-in, and that certain information—like your organisation’s contact details, the right to request a copy of information held, the right to have data removed, and the right to complain to a data protection regulator—is clearly displayed in your privacy policy.

After this, you also need to make sure you keep a record that each person you hold data for has consented to that.

But you can sum this up as, in most cases, don’t process someone’s personal data if you don’t have their permission.

Tip 4. Use plain language

Of course, as well as ticking the opt-in checkbox, we’ve also all taken a peek at terms and conditions, usually to be confronted with walls of legalese. Under the new rules, you have no excuse for opaque terms and conditions. When you write your privacy policy, make sure you write it in simple terms. You shouldn’t need to be a lawyer to read and understand the average privacy policy!

Tip 5. Make sure you have the skills to protect personal data

It’s impossible to cover everything in 5 tips, so make sure you have the skills you need to protect personal data. As you’ll have seen if you did a data audit, you’re probably processing more personal data than you thought, even if you’re working in a fairly small organisation.

Our new Data Protection module, aimed at people working in small and medium sized organisations, who have to deal with personal data as part of their jobs, is designed to help organisations in their efforts to become compliant and to be assured that their workers have the right skills.

You can find out more about the module at ecdl.org/dataprotection