- Christel Land
Are you ready for GDPR? | Webinar 1
New GDPR regulations are coming into force from 25th May 2018. Is you self-storage business compliant? If not, I recommend you to watch our webinar below to get an idea of how to get your business compliant with GDPR.
Transcription
Welcome to the HiTech webinar on GDPR for the self-storage industry!
The webinar is scheduled to take half an hour, and the last 10 minutes are dedicated to you being able to ask us questions.
So if any questions pop up along the way, just write them in the chat here on the webinar platform, and then I’ll answer as many questions as possible in the time we have.
Ok, with that we’re ready to get going!
Who are we?
Some of you are existing clients of ours, some may have spoken to us at the tradeshow in Berlin a few weeks ago, and others might have received an email invitation to this webinar. So I thought it would be a good idea to just give you an idea of who we are!
HiTech has been a supplier to the European self-storage industry for the last 20 years.
It started out as a software company, grew to an IT company, and now it's also a consultancy company.
Within the area of IT we write our own software and we offer private cloud environments for companies of all sizes. For some companies we are also their outsourced IT department, so we are very much like a one-stop-shop for IT in the self-storage industry.
The consultancy side of our business grew out of the fact that our team has about 60 years of combined experience in the European self-storage market. As we worked with our existing clients on various projects, we could see that we were actually quite unique in that regard and that there was a need to sometimes ask for a second opinion on a new perspective on something. But from someone who really knows the industry. And that’s how the consultancy side of the business start off.
We of course offer advice on IT but we also have 2 marketing consultants who have conducted research on the European self-storage market, and I’m one of them. My name is Christel, I’ve worked for one of the big chains in Europe for about 7 years, and as part of my MBA, I researched how the European recession affected marketing in the self-storage industry.
So we also consult on business strategy and we have certified project managers that can be hired in for both IT projects and business projects.
Our existing clients are mainly in Europe, and we service both big chains and smaller operators. We’re a team of 8 and our head office is in the Netherlands, not far from Amsterdam.
Who are we not?
So now you know who we are – so let’s also get clear on who we aren’t!
We are going to be talking about laws today, so it’s important to point out that we are not lawyers, we are consultants!
We aren’t going to be covering every aspect of GDPR over the next 20 minutes; 20 minutes isn’t nearly enough to do that! GDPR is a set of European wide legislation that will be implemented in every EU country. So while we can offer general advice on GDPR, we can’t offer advice on the specifics of GDPR in your country.
As we work with our existing clients to get them ready for GDPR, and also as we’ve worked on getting our own systems compliant, we’ve collected up what we believe are the key areas that self-storage companies should be looking at. And that is what we’re going to take a look at today; the 5 most important areas when you start working on compliance.
Are we selling you something?
Now, this is a free webinar and I’m sure one or two of you have thought ‘I wonder if they are going to try and sell me something’.
The answer is no. I am not going to try and sell you anything, but on one of the very last slides I will tell you how we can help in the area of GDPR, if you want us to.
What is GDPR?
So, let’s start with some basics. What is GDPR? GDPR stands for General Data Protection Regulation, it’s a set of data protection laws that come in to force all over Europe on 25th May next year. The fundamental aim of the GDPR is to make sure that all organisations put data protection at the heart of the various aspects of their business; to make sure that everyone takes data protection seriously.
Now, if you have googled a bit about GDPR you will have come across the term Controller and Processor. These aren’t terms that I’m going to use much today, but I do want to mention them, because they are used in a lot of the written material about GDPR.
In GDPR terms, a Controller would be your self storage company, and the Processor would be any subcontractor or supplier who processes personal data on your behalf and under instructions from you. So if you are one of our clients, then you are the controller and we are your processor.
1. Governance
So now that we have the basics of GDPR, let’s look at the 5 most important areas for self-storage companies to start on with compliance. The first one is governance.
The GDPR talks a lot about Data Protection Officers. The DPO is the person in the organisation that is responsible for data protection and compliance.
So the big question is do you need one?
At this point I want to make sure to bust one of the myths about GDPR. In some of the material that you’ll read about GDPR, it will say that if you employ less than 250 people that you don’t need a Data Protection Officer. This would essentially mean that all small and medium sized businesses don’t need a DPO. But The European Commission made a very clear statement about this in June this year, making it clear that whether you need a DPO or not depends on what data you hold and how you process it, not how big you are.
So the question of whether you need a DPO is one that every business, no matter how big or small you are, will need to clarify.
There are a number of requirements for this, so it’s not something we can go in to detail on in this webinar, but it is an area where you need to clarify whether you need a DPO or not.
You’ll need to create a governance structure for your data protection, where you specify who is responsible for what in terms of your data and how it’s held, used and processed. Who reports to whom when it comes to data protection and who has the ultimate responsibility within your company when it comes to questions relating to data protection? That is also a question you’ll need to answer.
You’ll specifically need to clarify what the responsibility is of your store staff and you need to make sure that they have been trained on the aspects of data protection that affect the work they do. They need to know what is an acceptable and unacceptable use of personal data.
We are going to talk more about documentation in a little while, but just in relation to training it’s really important also to note that it is not enough to train your staff, you need to be able to document that they have been trained and what they have been trained on.
2. Consent notice
The second area to look at is consent notices, and this is maybe the place where on a day to day practical level, GDPR differs the most from previous data protection laws. As of May next year (2018), privacy consent can no longer be part of your general terms of conditions. It needs to be a separate document.
You need to include what the legal basis is for why you are asking your customers for their personal data, but the notices need to be written in plain language so that anyone can understand what it means. So no legal jargon!
The GDPR requires that it should be as easy to give consent, as it is to withdraw consent, so this is an area to look at and make sure that you have operational processes for both of these situations. If you have a customer portal on your website where your customers can log on and manage their own account, then this is quite easy to implement, but this is also an area that you will want to speak to your software suppliers about, to make sure that you have an easy and bullet proof way of handling consent. Your consent notices have to include your retention period, in other words how long you hold their personal data before you delete it.
You also need to inform them that they have the right to complain if they think you aren’t handling their data in a responsible way, and you will also need to include a list of suppliers who hold their data on your behalf, so the customers can see who they are and even contact them directly if they want to.
When I’m going through this, there may be some of you thinking ‘what about my existing customers’ and that is a very good question.
The consent that you currently have will not be good enough after 25th May next year, so you will need to get renewed consent from your existing customers. So it could be a good idea to update your consent processes to be GDPR compliant as soon as possible, so that your new customers go straight on to the new consent forms. That will reduce the number of customers you need to contact next spring to get renewed consent from.
3. Data breaches
Next we are going to talk about data breaches. This is typically a security breach of some sort in your IT environment, where there is a chance that the personal data that you hold has been available to unauthorised parties.
First of all, the governance structure that we talked about earlier needs to include a clear governance structure for data breaches, so that everyone knows immediately what to do if there is a security breach.
If there is a security breach, then you have 72 hours to inform your local authorities about the breach, and in some circumstances you will also need to inform the customers that have been affected. This is required if the data breach may affect the person’s rights and freedoms. Many self-storage professionals who we have spoken to about GDPR initially say that this is something that doesn’t apply to them, because they don’t hold data that is sensitive enough to affect a person’s freedom or rights. But when you start breaking down your customers in to groups, it is not quite so clear cut.
For example, if your country has a legal way of having a non-listed, or secret address, this is used for example for women leaving abusive relationships or people with other sensitive situations, then a data breach of this customer’s address alone would be a risk to the person’s rights and freedoms. This may sound like a technicality, but is actually a really important point to clarify with your local lawyer, so that you know what to do before you ever experience a breach. Because once the breach happens, you only have 72 hours to react. So it’s extremely important that you know exactly what to do - and not to do.
Insurance companies are also updating their coverages to include provisions for data breaches, so this is an area to consult your insurance company on.
4. Documentation
Next we are going to take a look at documentation! So let’s start off looking at what you need to document.
At the top of the list is your governance structure, which we talked about a little while ago.
You need to document what you have trained your staff on, and when.
You need to be able to document consent, both who has given and who has withdrawn consent.
Whenever you make a technological change that affects aspects of how personal data is stored, handled or processed, you need to make what’s called a Privacy Impact Assessment. This can be quicker than it sounds if you have the right template, but it is important that you can document that you have carried out the assessment, even if it is a short one. What the assessment basically is, is an evaluation of your change and whether or not it has any implications for the handling of personal data.
Since you most likely don’t process data yourself, but your suppliers do on your behalf, you need to ensure that they can produce a record of processing that lives up to the GDPR requirements. Again, we don’t have time to go in to every detail of what this record needs to include, but on a high level overview you need to be able to document what has been processed when and by whom, but also why.
Like we spoke about a minute ago, you need to document various aspects of data breaches.
These are the main things to focus your documentation on, but there is of course more to the list!
How to document?
You are not required to document electronically, but we highly recommend it. You can create Word documents and put in a folder somewhere, but in our experience this often leads to documentation becoming outdated quickly because it’s not quick to update it. That is why we recommend wiki-style tools, with good search functions.
At HiTech, we use a product called Confluence, and it is also something that some of our clients use. It’s a tool that I’ll tell you more about in a little while.
The SSA is working on GDPR initiatives and I believe they will be creating some templates that self-storage companies can use to make the whole documentation process a bit easier too.
5. Legal advice
So what should be top of your list when you speak to your lawyer?
New consent notices is absolutely on the top, so you can get it to your customers as soon as possible.
What your specific requirements are in the event of a data breach is also incredibly important to be clear on.
Suppliers contracts*
You also need to know for certain whether you need a data protection officer in your company.
And like I’ve mentioned a few times already, you’ll need to check with your insurance company to make sure you have the coverage level you are comfortable with.
*Your supplier contracts will need to be reviewed, and probably updated, and you should especially be making sure that your suppliers of software and IT can live up to the requirement of deleting or exporting customers upon request. This is known as the right to be forgotten and the right to data portability.
If you read articles on GDPR, you’ll see these two rights mentioned quite a lot. We won’t be going in to detail on these, but for now just make a note that this is something you need to check with your systems suppliers.
So with this, you are ready to go! Well, almost!
Next steps:
Apart from the legal advice, the SSA is going to be a good source of information on this topic, and I know they have been working on putting together GDPR related resources for a while already.
How we can help you get GDPR compliant:
I mentioned earlier that we use a software package called Confluence, and I also want to be quick to point out that we DO NOT get any commission for recommending Confluence to others. So this is purely on the list because we believe this is the best documentation solution out there for self-storage businesses.
Confluence offer a free 30 day trial, and as part of this webinar we also offer to help you get started with Confluence for free, if you want us to. In the link that we send out after the webinar, where you can listen to the recording of it, we’ll also include information about this, and then you can judge for yourself whether you think it would be a good tool for you.
If you feel like you don’t have the time to document everything that needs documenting, then we can help write everything up for you too. We’ve developed templates etc, so we can hit the ground running and save time for everyone.
And if you just want someone to take the whole topic of GDPR readiness off your table, we can manage your GDPR compliance as a project, where we work on your behalf together with your lawyer and your suppliers, to put together documentation and processes that get you compliant in time for May next year.
So now we have got to the part of the webinar where you have the chance to ask questions.
**Listen to the webinar for the questions and answers, starts at 18:13**
If you want our help with your GDPR compliance, feel free to contact me:
E-mail: cland@hitechsoftware.eu
Or call us: +31 (0)348 415 295
0 views0 comments