Viewing archives for GDPR

GDPR – The Voice of Reason

Anyone who is involved with GDPR will know that there are always complexities and dilemmas, and these are often not simple and not quick to fix. The important thing is to start, to address the things you can, and to create a plan for dealing with the difficulties as well.

Here are some examples of how we’ve been working with clients, to illustrate the realities – warts and all!

For many of ours clients internal communications has been a major piece of work. Everyone is busy and this can feel like just another problem so ensuring that people buy-in to the issue is critical. This is partly about understanding the potential fines and reputational damage to the business, but you can also help people to relate to the importance of this by talking to them about how they themselves would want their own data to be looked after.

A common theme is making sure people understand what is caught by GDPR and organising discussions around what amounts to personal data. The best way to reduce your problem is to minimise the personal data you collect in the first place – do you really need the data you’re currently collecting? Many companies collect special data about their employees (GDPR defines special data which is particularly sensitive) they don’t really need, or they are not very good at deleting it even when employees leave.

For many companies, the focus is on marketing. For example, our clients in professional services often have lists of business email addresses that they have built up over years. In many cases these databases are not well maintained and they don’t have routines for cleaning and pruning – they just keep on adding to them! Some companies have embarked on a programme to get consent for continued marketing, some are using legitimate interest justifications (as we are).

Manufacturers and supply chain businesses often have lots of supplier data, whereas facilities management, care home or construction companies may have large numbers of staff, some casual or freelance. They may have lots of details about them that they have historically managed quite “loosely”. At the extreme end, we have modelling agencies with large volumes of images and videos as well as passport and visa details.

Many companies need to overhaul some technical aspects of their IT, including things like encryption, password handling, patching and firewall configuration. As well as backup and disaster recovery plans. And of course being clear on where internal responsibility lies for ongoing maintenance of this.

In almost all cases, contracts have needed some improvements to ensure everyone is clear on their duties. This includes suppliers, staff and partners as well as cookie policies, privacy notices and information security standards.

And most companies have no existing plans for dealing with a breach or request from someone to provide or correct or delete their data. As well as creating policies and plans for this, there is a cultural change to focus on honesty and learning, rather than silence and cover-up.

But whenever we can, our aim is to find a business opportunity. For example, in many cases this is an opportunity to engage with the old sales prospects.

Analysing what data you have, how it moves around the business and why is critical to GDPR compliance but it’s also a starting point for improvements. There are always opportunities for greater efficiency, and reduction in errors as well as serving customers better.

In many cases we are able to use GDPR discussions as a spring-board for serious consideration of radical improvements to processes and systems. Bringing data under control not only positions you for GDPR compliance, it’s also the starting point for integrated and streamlined business. And it’s a solid platform for digital initiatives as well.

You might find our previously published articles also of interest :

GDPR: A simple guide for CEOs (and what to do right now)

GDPR Action Plan: 6 months to go

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

GDPR Action Plan: 6 Months to Go

Like me you’ve probably been bombarded by emails and offers about GDPR. But the material I receive is rarely any real use. So, to help you find a way to start, here is our detailed Board action plan which is a simple, step-by-step summary of how we approach this issue.

We’re currently helping all sorts of clients with GDPR… from employment agencies who have stacks of very personal data, including huge numbers of CVs, photos and official document scans; to distributors who have far less demanding issues, but still need to put some new safeguards and processes in place.

In all cases we aim to avoid making this a tick-box exercise. We put GDPR in the context of your plans for business growth, and the aim is to use this project as a springboard for you to create business value.

 

And a link to my short video on the subject www.freemanclarke.co.uk/landing/ceos-gdpr-action-plan-get-track/

If you are still unsure where to start, or are looking for some sound advice then please get in touch. We are always happy to have informal conversations to help people out. We have an incredible team of IT leaders who will hit the ground running and can support you through this process. Click contacts us or call 0203 020 1864.

GDPR: Mindset & Culture – A Short Note for the Board

Original article written by Trupti Harding-Shah of My Inhouse Lawyer, www.myinhouselawyer.uk

In her video address yesterday, marking the 1 year countdown before GDPR takes effect, the Information Commissioner Elizabeth Denham makes data protection a board room issue.

She talks about sticks and carrots: the reputational risks and penalties that could hit the bank balances of businesses who don’t employ good data protection practices and in contrast, the benefits for those who make data trust a cornerstone of how they run their businesses.

A few weeks ago, our partner Freeman Clarke produced an excellent overview on GDPR, giving useful highlights and practical action plans. In this piece, we take a step back and talk about mindset and culture, two themes which are consistently threaded through the ICO’s messaging on GDPR and are relevant to board room thinking.

It’s fair to say that GDPR is not so much an instigator of change as an indicator of change. The digital economy in which we live has clearly outpaced old data protections. It’s a world where we can be identified by our IP addresses, where data about each of us can be used to profile us, market to us and is traded between organisations, often without our knowledge or consent.

GDPR looks to put individuals back in the driving seat, delivering to them stronger rights in response to heightened risks, including rights to:

With only a year to go, it’s right that businesses should be taking a close look at their data protection practices, identifying gaps against GDPR and looking to make those good.

At board level, it’s also about moving away from a mindset of compliance to thinking about how individuals would want their data to be handled and being transparent and accountable to them. It’s about employing appropriate data security measures to mitigate the risks we create for others in exchange for using their data. And it’s about creating a culture of data trust that pervades our organisations.

Yes, the risk of enforcement action for non-compliance makes GDPR a board room issue. But the longer strategic play is not just about avoiding fines, it’s about winning customer confidence and being seen as the kind of business that can be trusted. Those are the businesses that will be the winners in the new GDPR environment.

While we wait for more granular guidance from the ICO, and changes to the Privacy and Electronic Communication Regulations (PECR), GDPR should be actively discussed and budgeted for at board level.

Here’s the link to the 5 minute video from Elizabeth Denham.

Original article written by Trupti Harding-Shah of My Inhouse Lawyer, www.myinhouselawyer.uk

If you would like to discuss how GDPR will affect your business and a practical approach to making sure you’re compliant, contact us for a no-strings conversation.

GDPR Essentials: The Impact on IT, Legal and Marketing for Your Business

GDPR – the EU General Data Protection Regulation – is among the biggest legislative changes to hit UK businesses in years. Organisations that fail to adhere to the new rules face fines of €20m or 4% of their global turnover. And there’s no limit on size of business; it affects everyone.

As a business owner, you need to get to grips with GDPR, how it affects your business and what you need to put in place to prepare. The ramifications impact many different departments and, as such, you’ll need a holistic plan of action which involves key members of your team.

With this in mind, The Marketing Centre gathered three partners and experts around the boardroom table to discuss the regulation’s impact from the perspective of legal, IT and marketing. Let’s meet them.

(From L-R)

The IT view: IT expert Andy Hart, Freeman Clarke Regional Director
The marketing view: Pete Jakob, Marketing Director for The Marketing Centre
The legal view: Founder of My Inhouse Lawyer, Trupti Harding-Shah

The Marketing Centre: Hi all, firstly, can we get a bit of background to GDPR. Why are the laws changing?

Trupti Harding-Shah: We’ve been operating under outdated legislation for some time now in that the current Data Protection Act (DPA) doesn’t address many of the challenges thrown up by our digital way of life. Under GDPR, businesses will have to be more proactive in their data management, and customers will have a much more dynamic right of consent around their data. They can give or withdraw consent at will, port their data or have it erased completely. It’s encouraging a real shift away from a compliance and box ticking mindset towards businesses being much more transparent and accountable to their customers.

Andy Hart: Exactly right. It’s a “sign of the times” thing. We’ve seen a continual and exponential explosion of data over the last ten years, and privacy has changed a lot. People used to easily give away data to things like Facebook, but the pushback has begun – giving people ownership over their data and enabling them to say, “that’s not right, I’m not happy with that. I want that changed or deleted.”

You may like: GDPR Overview – What is it, and why does it matter?
I’m not sure GDPR is the right way to handle this, but something has to be done because many service providers aren’t as secure as they should be. Nothing is totally secure. It’s a bit like buying a house in a high-crime area, sticking the Crown Jewels in it, and then working out how to secure them afterwards.

Pete Jakob: Ultimately, GDPR brings our data protection laws in line with the rest of Europe; the world, even. The laws will hand power to individuals about what data businesses hold on them and, importantly, how they can use it.

TMC: OK, let’s cover the basics. What do the laws mean for businesses in each of your departments, and what are the key challenges?

Andy: From an IT perspective, a business needs to understand what data it has, where the data is, who has access to it, and what it’s used for. Within that data there will be a subset which is personal information – defined much more broadly than under the Data Protection Act. Personal data isn’t just names and ID numbers or payroll numbers; it includes things like your computer’s IP address and demographic information.

There are therefore basic security controls that need to be put in place, whether the data is at rest or in transit. Data should be encrypted or anonymised, so it can’t be immediately tied back to an individual. Privacy notices need to be clear and easy to understand, outlining why data is collected, what it will be used for and how long it will be kept. It must be as easy for users to opt-out as it is to opt-in, and opting in must be positive. That means not pre-ticking email sign-in boxes, for example.

Trupti: Legally speaking, GDPR sets a much higher standard for consent, so we’ll be assessing the current mechanisms employed by our clients to obtain consent and revising them to make them more granular, dynamic and compliant. We’ll also be updating privacy policies and working with our counterparts in IT and marketing to establish a wholesale lie-of-the-land and roadmap the leap from current practices to the higher standards required under GDPR. As Andy says, businesses will have to look at how they collect, store and manage data internally, and audit this against GDPR requirements.

Until now, the approach has often been that it’s enough to have a privacy policy and cookie policy up on the website. GDPR raises the bar. It’s designed to put data protection at the top of the agenda in the minds of business owners and their management teams and encourage them to take a more holistic approach.

Pete: This question of compliance should be at the top of everyone’s marketing agenda. Today, if I have or buy a mailing list with 25,000 people on it and I want to email them, I can. I have to allow them to opt out, but until they do so I can go on mailing them.

As of May 2018, GDPR implies I might not even be allowed to email them unless they’ve explicitly consented to be mailed.

TMC: Implies?

Pete: Yeah. Well, there is a lot of misinformation floating around on this. GDPR doesn’t explicitly mention email marketing, and it certainly doesn’t prevent it. HOWEVER, there is a separate piece of legislation – Privacy in Electronic Communications (PECR) – which has been around since 2003 and is revised periodically.

The latest revisions are still in draft, but it is PECR and not GDPR which is creating concern about the future of B2B email marketing without positive opt-in consent. If the current draft of PECR goes through, it will put B2B email marketing on the same footing as B2C marketing and will mean you need a positive opt-in to send mailshots. Which way it goes remains to be seen but there could be a significant impact from a marketing perspective.

The combination of GDPR and PECR means marketing process needs to be tightened, and a positive opt in needs to be encouraged.

The question businesses need to ask is, why would their customers opt in? They need to work hard now to develop an inbound marketing strategy that offers more than simply bludgeoning the recipients round the head with sales messages. It becomes a human game rather than simply a numbers game.

If you’re procuring or building lists, work hard to get everyone to opt in. The same goes for your existing data. You’ll need records of how everyone opted in, and where, and when.

TMC: The question then is, how do you collect data?

Trupti: There’s a lot more to consent under GDPR than under the DPA: GDPR requires consent to be granular, clear and affirmative. If you want consent for a specific purpose, the request for consent needs to be directly relevant to the purpose for which you’re going to use it. In real terms, this means you can’t run a competition that says “tick this box and give us access to your data” if you’re going to use the data for another purpose altogether.

The whole business of implied consent and pre-ticked boxes will have to go. The withholding of information behind consent – including websites that say “we need your data for you to go further” – may have to go, too.

If we flip it and look at it from the perspective of the individual – it’s not unreasonable to want to know what the information you’re sharing is going to be used for. As businesses embrace this, it’s only going to build up trust in the minds of their customers and enhance their reputation. Yes, this may be disruptive in the short term but there’s also an opportunity here to win confidence.

TMC: Trupti, how worried should businesses be about non-compliance?

Trupti: Under GDPR the financial sanctions for non-compliance could mean fines of up to 4% of annual turnover or €20 million; authorities will also have investigative and corrective powers under which they could audit a business, issue warnings and even ban you (temporarily or permanently) from processing data. Individuals could also bring cases against a company if they’ve suffered loss as a result of their data being mishandled. There are additional sanctions under PECR which might also apply. Here the financial penalties are lower, but there’s scope for criminal prosecution.

In the UK, the ICO does already take enforcement action against companies not complying with the existing data protection legislation but GDPR raises the stakes giving supervising authorities stronger powers to uphold the higher standards it prescribes.

TMC: How many of the businesses each of you deals with have a plan in place for GDPR?

Andy: Very few. Many of the people I’m talking with aren’t cognisant of what’s going on. There are even people who say, “we’re leaving the EU so it doesn’t matter to us or apply to our business”. It does, and it will. It applies to anyone who conducts any transactions with the EU, with EU businesses and EU citizens.

Pete: It seems that most of the UK has its head in the sand on GDPR. Directors are vaguely aware of it, know they need to do something and are talking to their legal team about the details and the fines. I’m recommending that people go back to the principles – what would be the right thing to do, and how far off that are they, and how much can they close that gap in the next twelve months?

There’ll be vast swathes of the marketing industry that won’t be close to 100% compliant next May, but if you have a plan and you’re well on the way, you can show supervisory bodies that you’re trying to do the right thing.

TMC: What does ‘trying to do the right thing’ look like?

Pete: Firstly look at cookie and privacy statements – are they open and transparent about what you’re using to capture insight and what you’re doing with it? Are you collecting data through an opt-out process? How do you move to an opt-in process? Ask people to opt in now. If your clients, customers, contacts and so on haven’t opted in, contact them. Send them an email that’s clear about why you’re asking them to confirm, and how they can manage their preferences and so on. Start implementing that now.

TMC: How do businesses make sure they comply with the new rulings both in terms of process and internal structure?

Pete: Aside from the opt-in and compliance elements, one thing we haven’t talked about is the process for data breaches and internal reporting. Whoever becomes aware of a breach, or a suspected breach, needs to have a single point of contact they can report it to. Someone needs to assess the breach quickly, understand what caused it and where it is in the data handling process, and how many and which data subjects it impacts.

Then it needs reporting, within 72 hours, to the supervisory authority. If someone has failed to do what they should have done, there will be a fine; if the business has done everything correctly and there’s been a breach despite that, there’s unlikely to be a fine.

That single point to which the reports go is the data protection officer; someone as senior as possible to take overall responsibility for data. Many see this as a job for IT. But so much of GDPR isn’t about IT. It covers CCTV recordings, voicemail and hard copy data on paper as well as electronic data. If a notepad with someone’s details on it is stolen, this constitutes a data breach.

The reality is that IT, marketing and legal will all have a role to play, so the person nominated should be able to take a coordinated approach across all those departments. For the average SME I expect it’ll be the Financial Officer or Director.

Trupti: There needs to be an education process within the whole company. Business owners won’t want to educate their managers and then find that others within the organisation have inadvertently let a ball drop. It’s a question of managing risks: Being joined up and making sure everyone in the business understands the standards prescribed by GDPR and what that means to them in the context of that individual’s role.

Currently under GDPR, only public bodies and businesses that undertake large scale or systematic processing of data have to appoint a data protection officer (DPO). Smaller businesses are not required to appoint a DPO, but even if you don’t have to, I agree with Andy, it makes good business sense to designate someone as a data protection champion to monitor performance and report to the board.

Most businesses we work with appoint our lawyers as data protection champions to interpret GDPR and pull everyone together. That won’t be right for everyone, though, especially if they don’t have access to the kind of flexible inhouse solution we offer.

Education will carry a cost. Every business will have to make that investment, and the smart ones will probably do it sooner rather than later. Whether it’s a question of assigning employee time to those activities or bringing an expert in will vary, but every business will need to allocate a budget for education and training their teams, appointing a champion and performing that audit to establish how they’re treating data and then bridging any gap.

We also have think about the partners and suppliers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards and you’ll want to work with businesses who are GDPR-compliant.

Some of those arrangements with mailing list providers will have to be revisited to ensure the partners have explicit consent to – for example – selling email addresses to third parties. It’s not just about prospects – it’s about all the people you’re doing business with.

TMC: Anything else?

Pete: One thing; storage practice will have to change too. If an organisation gets a subject access request, IT teams sometimes struggle to identify all the data relating to an individual, because it’s locked up in different systems. Large organisations will have to look at how they tie their systems together. Most will have to consider modifying their website to include explicit consent for data collection, having procedures and controls so that if there’s a breach people know what to do.

Many organisations don’t comply with their own data retention policies at the moment – they should be deleting data after so many years and they hang on to it forever. Even if they’ve deleted a file, it’s stored in systems or databases or on a server as a big block, and that block’s backed up for security or recovery purposes, and that backup is kept forever. If the business ever does need to restore, they’ll take that backup and they’ll get the data back. That won’t be possible as an approach under GDPR.

In all honesty, most data breaches are down to human error. People talk about being hacked, but the actual cause is someone leaving a laptop on a train, or hitting ‘Reply To All’ on an email. It’s that easy.

The best thing businesses of all sizes can do is run an employee awareness program, so staff understand why data needs to be kept safe and what the basic vulnerabilities are. Can people just wander into the office and see what’s on their screens? Are documents being left on top of photocopiers or in the out trays of printers? Do we leave things on the reception desk that we shouldn’t?

These are basic, brass tacks security controls that have nothing to do with IT systems. They simply require a bit of a cultural change which, as we all know, can be hard to achieve.

TMC: Sounds like there’s a lot of work to do!

Pete: There absolutely is, but certainly from a marketing perspective, I think we should take a positive stance on GDPR. It’s forcing us to treat clients in the way that we would like to be treated. If we’re trying to be respectful, honest, open and authentic with our clients – all those values we’ve been talking about since before digital technology – it’s a no-brainer.

If we look at the countries like Canada or Germany, which have much tighter privacy regulations than the UK has had, we see email volumes go down but email engagement go up by comparison. We’ll go the same way and see less spam. Why is that a bad thing?

Andy: Quite right. If we embrace it and are pragmatic about it, we’re in a good place. Nobody wants those headlines about a huge data breach. If we get the job done and have the right security controls around it – which many businesses don’t have, and which do cost time and money – then we’re avoiding those headlines. It’s introducing an overhead on all businesses, but it means we’re seen to protect our data properly, which makes us more trustworthy.

Key takeaways:

  1. Make someone responsible for managing GDPR and data strategy
  2. Add opt-ins to all your digital marketing and make sure you get a double opt in
  3. Carefully review what data you have, why and if it can be used post-GDPR
  4. Build an inbound marketing strategy and get it running well before the end of 2017
  5. Don’t wait for “them” to solve the problem for you; they won’t

Thanks to Pete, Trupti and Andy for their thoughts. One thing’s crystal clear from all the experts we’ve consulted – businesses need to pay attention, and plan now, to be ready when GDPR comes into force next May. If you’re not sure what your business needs to do, get in touch:

IT related query’s contact us at Freeman Clarke – 0203 020 1864 or via the contact us form

Legal related query’s contact My InHouse Lawyer on 020 7939 3959.

Marketing related query’s contact The Marketing Centre on 020 8166 3106

Original blog post from The Marketing Centre: http://www.themarketingcentre.com/gdpr-and-its-impact-the-view-from-legal-marketing-and-it/

We recently circulated a CEO’s Action Plan document to help businesses kick start their planning so they can become GDPR compliant by the May 2018 deadline. Click the button to download this document.

 

If you would like to discuss how GDPR could affect your business and a practical approach to making sure you’re compliant, contact us for a no-strings conversation.

CEO’s Action Plan: GDPR – One Year to Prepare!

There is now just one year until the new GDPR becomes law. The new rules are very different, and there is every indication both the UK and European authorities (regardless of Brexit) will be taking this extremely seriously. So we are too.

We are still meeting companies that have done nothing so far, and time is now getting short. But if you get GDPR on your Board agenda now, then there is still time to make the necessary technical and process changes to be compliant.

We have produced a simple slide deck to explain the new regulations and a starting point template for your Action Plan. Below are some samples from this deck.

To download the full slide deck click on the button below. The full deck explains the following:

  1. What is GDPR and common terminology being used
  2. How will it affect my business
  3. Action plan to start now

To download the full slide deck click on the button below:



Click on the button below to download the full slide deck to prepare yourself for GDPR or you can read our further blog post here. If you require any assistance, please get in touch.

We are currently helping many businesses implement a GDPR plan so they are prepared and compliant by May 2018.

 

If you would like to discuss how GDPR could affect your business and a practical approach to making sure you’re compliant, contact us for a no-strings conversation.

 

GDPR: A Simple Guide for CEOs (and What to do Right Now)

[Since his article was originally posted we have created a new detailed slide deck. A link to download these slides is at the end of the copy below.]

If you don’t comply with the new GDPR, you can be fined up to 4% of your turnover or 20M Euros (whichever is higher!). The government is deliberately making this a major issue that you have to take seriously, and you have to get right.

OK, I’m listening – what’s this all about?
The new General Data Protection Regulation (GDPR) gives EU citizens more control over their personal information, and makes organisations that hold or use that data responsible for keeping it secure. The new legislation goes further than the existing Data Protection Act, and contains several specific requirements. It will take companies time to get ready, so you need to look at this now.

But, we’re leaving the EU so this doesn’t matter to us…?
Nope. The UK government has decided to include GDPR as part of UK law for the foreseeable. The UK has been a supporter of this initiative, so even after we leave the EU it is likely our government will continue to maintain this legislation in some form. Certainly, any business in the UK which handles data of EU citizens will be affected regardless.
So, the clock is ticking and there may be a lot for your business to do!

Firstly, what data are we talking about?
In summary, the European Commission defines the data as “any information relating to an individual”. More specifically they say: “It can be anything from a name, photo, email address, bank details, posts on social networking websites, medical information, or even a computer’s IP address.” That’s a pretty broad definition, and encompasses many pieces of data not covered previously.
What do you need to do to comply?

There are 7 key areas:
1. Appoint one of your directors to be accountable. The new legislation states any organisation where the core activities involve “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data” (defined in the legislation) needs to appoint a suitably competent Data Protection Officer (DPO). Do you want this role and the accountability to fall within IT, marketing or legal (or elsewhere)?

2. Ensure proper safeguarding. Practically, your senior team will need to make sure you have safeguards and controls in place to ensure data is kept safe. GDPR suggests some specific measures like:
• Controls and procedures to ensure the data is kept confidential, is accurate, and is available when needed.
• Data should be anonymised and/or encrypted.
• You must be able to restore the data and systems quickly in the event of an incident.
• Regular testing and assessment of the effectiveness of your measures.

3. You must ensure your suppliers are compliant. GDPR puts greater onus on you to ensure that any supplier you use to process data will properly safeguard the confidentiality of the data. This is not their problem, it’s your problem!

4. Explicit Consent. You must ensure that people have explicitly consented to their data being stored and processed, and you need to make it easy for them to withdraw consent if they wish. You will need to be able to demonstrate consent has been given. This is a significant change, and it is unlikely that your current measures are sufficient, so quite a bit of work will be needed here. Importantly there is also a new statutory “right to be forgotten” for data subjects who want to have their data erased.

5. Be explicit and transparent. You will need to explain in plain language what data is held, how long it will be used/retained, and how to withdraw consent. That means reviewing privacy policies and processing notices to ensure they are drafted in plain language and contain all required information. Your data retention policies and procedures will need to be simple and appropriate.

6. Report Breaches. In the past, many people kept data breaches quiet but under the new rules they must be reported to the Information Commissioners Office (ICO) without delay and where feasible within 72hrs. This is quite a significant change and to do this it is likely many organisations will need to implement security incident reporting and response procedures for the first time! Record keeping becomes increasingly important.

7. More Subject Access Requests. It seems likely there will be an increase in people querying data as they become more aware of their rights, and you will need to meet more stringent timelines in how you respond to these requests. You will need new processes and responsibilities will need to be clear in order to make sure your teams are compliant.

Put simply, the government seem to be encircling companies with a range of requirements that force you to take data protection seriously. Companies can no longer be vague, be slow, or sweep issues under the carpet!

So what do I need to do now?
At face value, this seems like more of a quest than a project to implement these changes! However with early action and a methodical approach, ensuring compliance should be perfectly possible.

Step 1 – Right now, create a small budget and assign a board member to be accountable for this issue.

Step 2 – By the end of Q1 of 2017 ensure you and the Board understand what personal data is being managed or processed by your organisation. Where is this data being stored and how is it managed and used? What is its lifecycle within the organisation?

Step 3 – By the end of Q2 2017 your organisation will need to have a clear plan for compliance. The new legislation comes into force on 25th May 2018.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT directors. We work exclusively with SME and mid-market organisations. We are frequently involved in helping our clients solve compliance headaches like GDPR. Click Contact Us for an informal conversation.

Since this article was posted, we have created a detailed slide deck on the same subject. Follow this link to read the new article and download the slides… https://www.freemanclarke.co.uk/2017/05/10/ceos-action-plan-gdpr-one-year-to-prepare/

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.

Graeme Freeman
Co-Founder and Director

Subscribe to our Business Insights

Plain English board-level briefings focused on technology strategies to deliver competitive advantage and business success.

* Please enter an email address
newnewsletterrecipient

You can unsubscribe at any time.

Thank you.

You’ll now receive regular expert business insights.

Call us on 0203 020 1864 with any questions.