As everyone must now surely be aware, the new regulation on data protection known as General Data Protection Regulation (GDPR) comes into force on the 25th May 2018.
This has led all companies to review their data protection processes and we’re no different. We’ve been working hard to ensure we are compliant. Below is a list of all the things we have done to make sure we’re GDPR ready on the 25th May…
Audited businesses data storage and streamlined internal storage processes
We began this process by doing an audit of all the tools we use in our business that were a place for our clients details to be stored. Over the years we have tried and tested many online tools to try and help streamline our businesses processes. Some of which have been successful and others not.
We revisited all of them, closing and deleting accounts that didn’t work for us, tidying up the ones we did use to make sure they only held relevant data and found new ones that better suited our purpose. A list of the software that we use to deliver our services to our clients can be found on our privacy notice under the section ‘where we store and transfer your data’.
Invested in new CRM system
Based on this audit we realised the need to source a new CRM system. It’s fair to say we’ve tried various CRM systems over the years, none of which have proved particularly successful for us. We’ve found that finding the right CRM system is very much like dating, you’ve got to go on a good few dates before you find ‘the one’!
We have now find our match and have decided to utilise Capsule CRM to help us manage our clients details better. We’ve made sure to delete our old accounts in the previous CRM systems we have trialled in the past and have integrated our emails, contacts and financial information together to provide a better solution for us and our clients.
Discontinued the use of any third party plugins which were no longer required
We use Google Apps for our emails, contacts, calendar and data storage. We use plugins to help make the tools we use work more effectively for us. Over the years this has meant an accumulation of plugins, some of which are useful and some are not. We reviewed them all and removed many of them so now only have a select few that link with with our Google Apps account.
Where possible, we now use only data processors who are GDPR compliant
GDPR is a regulation in EU law so as such, any data processors that we use within the EU are also subject to the new legislation. We have tried to ensure that where possible, the data processors we use are GDPR compliant. We only use data processors which we feel really benefit our business and allow us to offer a better service to our clients.
Housekeeping on the data we hold removing old or dormant contacts
We’ve been in business now for 7 years and over that time have accumulated many, many contacts. We have gone through our entire contacts list and deleted old or dormant ones meaning the data we now hold for every contact is relevant and as accurate as we can obtain.
Created a new data management process
Investing in a new CRM system has enabled us to review our data management process easily. We now have a process in place for adding new contacts and one for reviewing our existing data on a 6 monthly basis to ensure the data we hold is kept as up to date as possible.
We have ensured our processing is lawful
We have completed a Legitimate Interest Assessment to ensure our processing is lawful. By completing the assessment and going through the relevant questions we can confidently communicate with our clients, suppliers and potential clients on the basis of Legitimate Interest.
Updated our privacy notice
We have sought legal advice on making sure our privacy notice on our website is up to date, accurate and reflects all the changes that GDPR brings into force. You can see the updated notice here.
Updated our contracts with our clients and suppliers
We have sought legal advice on our supply of services and contractor agreements. These have been updated and all the relevant parties been made aware of the changes.
Set up two-factor authentication where possible
In an effort to make the online tools we use as secure as possible, as well as password protecting our accounts we have also enabled two factor authentication wherever possible.
Ensured our devices are wipeable
We use computers, laptops and mobile devices in the course of our business and have made sure that all of the devices are able to be remotely wiped of all content should they be lost or stolen at any time.
Created and documented new data management processes
Within our CRM system we have developed new data management processes so that in the event of one of our contacts requesting information on the data we hold on them (or requesting to be forgotten), we can quickly and easily follow a documented procedure to ensure an efficient and effective response.
In order to maintain the relevancy of the data we hold we have initiated 6 monthly reviews to ensure that the information we hold is relevant and as up to date as possible.
So yes, we’ve been busy. Although GDPR has at times felt like an uphill struggle, now we are ready we can really see the benefits for us and our clients. For all those of you who have also undergone this process we can appreciate the time and effort that’s gone into becoming compliant and we salute you!