The GDPR came into force on Friday 25th May 2018, amid a raft of mixed messages and media coverage.
A flurry of activity around that time suggests businesses were frantically trying to get their houses in order. The dust has settled and there are now three types of organisations; those that are GDPR-compliant, those that are in the process of becoming so, and those that have yet to begin. Whichever category your organisation falls into, it’s not too late. There are simple steps that can be taken to ensure your business is moving in the right direction.
The dreaded data audit
The term “data audit” was used an awful lot in the run up to 25th May and whilst it sounds like an overwhelming task, a data audit is essentially about getting a handle on what data you hold and where it is stored. Delegate this task to a responsible individual within each department and put together a uniform template setting out what the data is (e.g. customer/client, employee or supplier) and where it is stored (e.g. electronically, filing cabinets, a box in the loft).
The spring clean
Once you have rationalised what data you hold, put together a data retention schedule. This should be categorised into customer/client, employee and supplier data. The GDPR does not prescribe specific retention periods and it is therefore a case of your organisation justifying its retention of personal data based on its specific needs and legal requirements.
Delete, shred or anonymise any data that is surplus to requirements. Those responsible for IT need to carry out an electronic clear out, and physical files should be securely destroyed or archived. This process will help hugely if you ever receive a subject access request from an individual, as you can’t be expected to disclose data you no longer hold.
A key driver for the GDPR is to give individuals enhanced rights. Consequently, your business is required to tell individuals what data it holds about them. Again, this will help to pre-empt any subject access requests.
You need to inform employees, customers/clients, and suppliers what data you have, how it was collected, why it is processed, where it is transferred, how long it is stored for and what their rights are as individuals. A layered approach should be taken, with a privacy notice containing the above information situated on your organisation’s website and issued directly to individuals where practical.
The “consent” myth
Review your employment contracts to identify any clauses under which an employee consents to the processing of his or her data. Consent is rarely the most appropriate legal basis to rely upon when processing personal data. The GDPR recognises the potential imbalance in the employer-employee relationship and makes this approach unsustainable going forward.
Introduce a dedicated data protection policy and make sure staff are aware of what is expected of them through internal or external training and seminars. It is vital to create a “culture” of data protection alongside putting in place robust policies.
It’s not too late
Whilst implementation will result in widespread changes in the vast majority of UK businesses, it’s not as radical a departure from existing data protection regulations as has been portrayed.
The above are some of the key steps you can take, but there are many more areas that fall under the remit of the GDPR. The imposition of fines by the Information Commissioner’s Office is not reserved for personal data breaches alone and can result from failure to implement internal procedures and non-compliance with the principles of transparency and accountability.
Although the 25th May has been and gone, the GDPR is here to stay.
For more information on any of the above or, how we can help your business, please contact Ben Jackson, or call 0191 232 8345.