GDPR: 12 steps to take now

Brought to you by the Lead Forensics Knowledge BaseLead Forensics: compliance by design

UK: 0207 206 7293 www.leadforensics.com

2020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

Contents

Introduction 3

What is GDPR? 3

Which businesses are affected? 3

12 steps to GDPR compliance 4

1. Raise awareness 4

2. Document all the personal data you hold 4

3. Clearly communicate your updated privacy policy 4

4. Make sure you understand individual rights 5

5. Put processes in place for handling requests 5

6. Identify the lawful basis for processing personal data 5

7. Understand what ‘legitimate interest’ means 6

8. Handling data breaches 6

9. Carry out a Privacy Impact Assessment (PIA) 7

10. Assign a Data Protection Officer 7

11. Steps to GDPR compliance 8

12. Update systems and processes 8

Ready to fuel your sales pipeline with GDPR compliant leads? 9

The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018.

GDPR affects any business that holds or processes information about residents in the European Union. This is true, even if the business itself is based outside the EU.

This guide will help you to: • Understand how changes to GDPR will affect your business

• Ensure your business is fully compliant with new regulations

• Put processes in place to manage change and remain compliant

• Create a Sales and Marketing strategy that takes new laws into account

About Lead Forensics Lead Forensics is an example of marketing and sales enablement software trailblazing in a GDPR compliant environment. Lead Forensics identifies the visitors to an organisation’s website, fueling marketing and sales team with the business related contact details of people actively interested in the products and services of their organisation.

GET STARTEDTake the free demo and trial today...

3020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

Are you GDPR compliant? It’s a question that businesses are likely to hear a lot in the coming months, as the crucial 25 May 2018 deadline fast approaches.

So, who does GDPR affect and what action should you take?

What is GDPR?GDPR – which stands for General Data Protection Regulation – was developed by the European Parliament and aims to strengthen data protection laws for individuals within the European Union. It is designed to simplify and unify data protection laws across all countries in the EU.

The regulation becomes enforceable on 25 May 2018, at which point businesses need to ensure they are fully compliant, or they risk incurring hefty financial penalties. Far from being simply a tick box exercise, complying with GDPR requires planning and in some cases, a complete change in processes and procedures. Taking action well ahead of the deadline is therefore vital.

Which businesses are affected?GDPR affects any business that holds or processes personal information about residents of the European Union. This is true, even if the business itself is based outside the EU.

Following Brexit, the rules will still apply in the UK, with the government planning to introduce a data protection bill that will closely mirror GDPR and its requirements.

At the heart of GDPR is personal information, which is defined as any information that can be used to identify a person (directly or indirectly), including: name, identification number, address and IP address.

It also covers sensitive personal information, such as: genetic data, health, sex life, sexual orientation, religious & political views, mental, physiological, economic, cultural or social identities. Basically, anything that could put someone at risk of unlawful discrimination.

GDPR is likely to mean big changes in the way businesses collect, store and process information about individuals. When holding personal information, businesses must ensure:

4020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

• It is processed lawfully, fairly and in a transparent manner

• That data is only processed for a specified, explicit and legitimate purpose

• Any information held must be relevant to the specified purpose

• All data must be accurate and up to date

• No data is kept for longer than necessary

• Information is handled and processed in a way that maintains security

• There must be a ‘lawful basis’ for processing the data

12 steps to GDPR complianceTo help you ensure you are compliant with GDPR, we’ve broken the process down into 12 steps:

1. Raise awareness

GDPR isn’t just something that will concern marketing teams. Everyone in the business needs to know about the changes in legislation that will come into force on 25 May 2018. Make sure that the implications of GDPR are clear to everyone within your organisation, task a team member with taking the lead on it and researching and

collating information. Looking at your risk register (if you have one) can be a good starting point or start one if you don’t!

2. Document all the personal data you hold

Conduct a thorough information audit. Make sure that you have clearly documented all the personal data you currently hold. This should include where you sourced it from, what details it includes, what it is being used for and who has access to it.

3. Clearly communicate your updated privacy policy

Review your current privacy policy to make sure it complies with the new rules. When

5020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

collecting personal data, you are obliged to provide certain information, including your identity and how you intend to use the information gathered. Under GDPR, you will also be required to make individuals aware of additional issues, such as what your lawful basis for processing their data is (see Point 7), how long the data will be kept and that they have the right to complain to the ICO if they feel their data is being handled in an unlawful way.

4. Make sure you understand individual rights

GDPR sets out the following rights for individuals:

• The right to be informed

• The right of access

• The right of rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• The right of deletion

• The request for data held

Once the new legislation comes into force, you need to be able to handle any such requests. That means it’s vital you have a well-organised databases and procedures.

5. Put processes in place for handling requests

Make sure you have a clear process mapped out, which will be followed when any requests are raised. Give somebody within the organisation responsibility for handling such

requests. The business will have just 30 days to comply with any request. Also, bear in mind that in most cases, you won’t be able to charge for this. Requests can include: right to object, right of deletion and request for data held.

6. Identify the lawful basis for processing personal data

You need to have a lawful reason for holding and processing any personal data. You need to identify and document what that lawful

6020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

basis is, and it needs to be clearly communicated within your privacy policy.

There are six potential options - consent, contract, legal obligation, vital interests, legitimate interests and public interest. The one you use will depend on the purpose of the data and the relationship you hold with the individual. It is important to select the most suitable one for your business from the start, as you won’t be able to change it later, without providing a very good reason.

Under GDPR, an individual’s rights will vary depending on the lawful basis on which their data is being processed. For example, if consent is the basis for processing, then individuals have stronger rights to demand the deletion of their data.

7. Understand what ‘legitimate interests’ means

‘Legitimate interests’ is the most flexible lawful basis available for processing. However, it won’t always be appropriate. You must

show you’ve balanced your own interests against the individual’s interests and if there is another less intrusive way to achieve the same result, then it should be followed.

If you decide to use legitimate interests as the lawful basis of your data processing, then a Legitimate Interests Assessment (LIA) must be completed in all instances. An LIA is effectively a risk assessment. It ensures you have gone through a comprehensive decision-making process to balance your own interests and those of the data subject.

There are three key elements. You need to:

• Identify what your legitimate interests are

• Show that processing the data is necessary

• Balance this need against the individual’s interests, rights and freedoms.

8. Handling data breaches

A personal data breach is defined by the ICO as ‘any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of,

7020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

or access to, personal data’. This includes both accidental and deliberate breaches. You need to ensure that you have strong processes in place to detect, report and investigate potential personal data breaches.

Some organisations are already required to notify ICO if they have suffered a data breach. You will only need to notify them of a breach, if there is a risk to the rights and freedoms of individuals and could potentially result in them being discriminated against, suffering financial loss, loss of confidentiality, damage to their reputation or any other social or economic disadvantage. You will need to make your report to ICO within 72 hours.

9. Carry out a Privacy Impact Assessment (PIA)

GDPR makes privacy by design an express legal requirement. It also makes Privacy Impact Assessments (PIAs) -

referred to as ‘Data Protection Impact Assessments’ or DPIAs - mandatory in certain circumstances.

A PIA may not be required in all circumstances, but it is important to understand where it is necessary. Such as:

• Where a new technology is being deployed

• Where a profiling operation is likely to significantly affect individuals

• Where there is processing on a large scale of special categories of data

10. Assign a Data Protection Officer

Certain organisations are also required to formally designate a Data Protection Officer (DPO). This includes:

• Public authorities (except for courts acting in their judicial capacity)

• Organisations that carry out regular and systematic monitoring of individuals on a large scale

• Organisations that carry out the large-scale processing of special categories of data, such

8020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

as health records, or information about criminal convictions.

The Data Protection Officer can have other responsibilities within the business. It is vital that whoever takes responsibility for your data protection compliance, does so effectively and has the knowledge, support and authority to carry out their role.

11. Consider international implications

This point is only relevant for organisations who carry out cross-border processing.

For any business which operates in more than one EU member state, you are required to determine and

document who your lead data protection supervisory authority is. That means you need to disclose who the supervisory authority is, in the state where your ‘main establishment’ is. (i.e. The location where your central administration in the EU is, or the location where decisions about the purposes and means of processing are taken and implemented).

If this rule applies to you then map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.

12. Update systems and processes

Now is the time. Ensure processes are updated and systems are adjusted in readiness for GDPR. Once you’ve mapped your data, considered the lawful basis for

processing and documented everything – now is the time to take action and implement change! Don’t delay.

For more information see the IOC ‘Guide to the General Data Protection Regulation (GDPR)’

9020 7206 7293 | www.leadforensics.com

Lead Forensics: compliance by design

Ready to fuel your sales pipeline with GDPR compliant leads?

020 7206 7293

www.leadforensics.com

GET STARTED

Experience turbo-charged lead generation with a free demo and trial today:

Uncover who your anonymous website visitors are, identify when they’re ready to buy and access the contact details you need whilst also being compliant with GDPR.

Lead Forensics primarily sources business data, which is not applicable under GDPR. Where personal data is processed – the email address and names of the key decision makers, it is compliant under GDPR given the legitimate interest in your products or services from the pro-active visit by the organisation at which the data subject is employed. The beauty of Lead Forensics, is that whatever data we provide you with, it all stems from a legitimate interest. We only supply you with data for a company contact because someone from that specific organisation has visited your website, showing a legitimate interest in what you’re offering.

Experience turbo-charged lead generation with a free demo and trial today.