GDPR TIPS – Blog created by James Hutchinson
General Data Protection Regulation (GDPR) five tips
Penalties for non-compliance with the GDPR are up to €20m (£17.4m) or 4% of global annual turnover, whichever is higher. However, the UK’s Information Comissioner, Elizabeth Denham, has previously stated that the government will show leniency to businesses that have demonstrated attempts to implement the GDPR
One – Know what data you hold
The GDPR deals with the way organisations process, share and retain data, so undertake a review of all personal data you have on file.
Under the new regulations, clients can request that the data you hold on them is deleted – this is the ‘right to be forgotten’. Tip, ensure personal data is filed so it can be easily retrieved and erased, if needs be. Equally, clients have the right to ask about the extent of their personal data you hold, even if they do not want it erased.
Even if a client does not get in touch, under GDPR you are only allowed to retain data while there is a specific need to do so. So if you have a client who no longer uses your services, have a policy and process to delete personal information you may hold on them.
Two – Put procedures in place to deal with a breach
All firms who use email as a form of sharing personal data with external parties have to consider what they would do in a situation of a breach (eg, sending an e-mail to the wrong person). Processes are required to respond to any breach of data which generally includes reporting the breach to the ICO within 72 hours and holding a system that records all breaches that occur.
Three – Check your online security methods
Existing data protection rules require appropriate technology and training to be in place to protect shared information.
The ICO recommends encryption on all PCs and electronic devices, which will include encrypting any e-mails that you issue which may include personal data. Note currently encryption is a suggestion, not a requirement.
Four – Appoint a senior staff member to look after data protection
Every firm needs to ensure that someone holding a senior position has overall responsibility for the business’ data protection compliance.
Public authorities, or companies whose core activities consist of large scale processing of special categories of data, or who regularly monitor individuals, have a requirement to formally appoint a data protection officer. While this should not be the case for most small firms, you are able to voluntarily appoint a data protection officer should you wish to do so.
Five – Educate your staff
All employees need to be aware of the GDPR so that there is an awareness of where personal data is filed, where future saving of data should be made, and how long it should remain held for. This means you and your team can be confident that about keeping data in incorrect places