The General Data Protection Regulation (GDPR) became law in the UK on the 25th May and we want to explain how we have approached the regulation and what steps we’ve taken to ensure we treat personal data in the same way we would want others to treat our data.
Firstly we believe the GDPR brings opportunities to trust and transparency in how data is managed and shared. Secondly the GDPR simply builds on the practices that should have been embedded alongside the original Data Protection Act. Thirdly the GDPR is not just about mailing lists and sharing data; it’s equally important to consider the security of data, the rights to erase, transfer and update data, and ensuring that data protection is built into products and processes.
For our consultancy business we typically hold data about current and prospective clients related to their business activities. For the Fund Marketing Network we additionally hold data about the courses, programmes, events and content related to learning and growing as business marketers.
So how have we approached GDPR?
We used the ICO data protection self assessment checklist to create a plan of activities. This ensured we covered all aspects – and that it came from the source (and not from the overload of opinions on how to achieve compliance).
The key activities that we have undertaken include:
- reviewing data flows, locations, lawful bases for processing and consent – across our email, CRM and CMS
- documenting the procedures for the rights to be informed, erase, transfer and update data
- updating data privacy and security policies and ensuring contracts are reviewed
- undertaking regular training across a range of topics including data protection
- reviewing data security across devices, locations and applications
We are confident that we have a pragmatic approach to ensuring we keep the right amount of data, for the right purposes, in a secure fashion for our current and prospective clients.
Questions? Get in touch.