Are you ready for GDPR? A step-by-step guide

2 May 2018

According a survey published in February 2018,  the Federation of Small Businesses (FSB) found that only 8% of small businesses would actually admit to being GDPR compliant. On the other side of the fence, 18% had never even heard of GDPR. That leaves 90% of businesses either unprepared or unaware of the biggest shakeup in data protection in more than 30 years.

The Information Commissioners Office (ICO) have published a ton of advice on getting smaller businesses compliant with the new regulation and have a dedicated helpline for just this purpose.

The right way to get ready for GDPR?

We get a lot of questions from our customers (and prospective customers) on how OpenCRM can help get them ready for GDPR. And there are a lot of things we can do to help, from using our Customer Portal to manage email preferences and updating contact details to implementing your data retention policies with our dedicated workflow tools.

GDPR is a big change and every business will implement their own processes in a slightly different way. That’s why giving advice on what is “the right answer” is so difficult.

Our step-by-step guide

Saying all that, we do have a process that we’ve been recommending to our customers when they ask us how to get ready for GDPR.

It won’t tell you want to do or which processes to implement, but it will help you get your business and your business data in the right place to make the decisions on what you need to do to become GDPR compliant.

Step 1: Do an audit of all the data you current hold.

You can’t know how to protect your data if you don’t know what data you hold. This means going through every system and working out which data is where.

That includes the loft where you’ve got those dusty old boxes. ?

Step 2: Write down what you do with all of that data

One of the central tenets of GDPR is only processing and storing data where you actually have a good reason for doing so. If you don’t know why you are holding the data, there is a question of whether you really need it.

Having documented processes will also help you with the next step.

Step 3: Getting Consent…or not?

The next step is the one that everyone is talking about: the decision over whether you need consent for each of your data processing activities.

This is a decision that you will probably want to discuss with someone who knows a bit more about the legal side of things…try the ICO helpline if you aren’t sure.

But again, write down these decisions. Documenting your policies is a big part of GDPR.

Step 4: Decide how long you need to keep data

Once you know what data you hold and what your reasons are for holding it, you’ll find that you have several items that you either don’t need right now or won’t need in the future.

For example, do you need to keep a record of a former customers’ favourite colour? Sure it was important when they were a customer, but now that they aren’t, is it something you need to store?

Write down all of these decisions and processes, they are the early draft of your data retention policies.

Step 5: Talk to an expert

Once you have an idea of what you want to do with all the data you currently hold, you need to speak with an expert. And I don’t mean your CRM provider.

You need a legal expert to take a look at these decisions you are making to double check that you haven’t forgotten anything. Maybe you wanted to get rid of some address details, but you might actually need to hang onto them for HMRC reasons?

Step 5: Implementation

Now that you’ve got your policies in place, the time has come to get them implemented in your systems and the rest of your team.

This is when you want to have that conversation with your CRM, email, chat client, and other system providers, giving them the details of your policies and finding out how they can help you achieve them.

Getting ready for GDPR isn’t necessarily an easy process, but the important thing is to get started where you can and get advice when you aren’t sure. You’ll be compliant before you know it.