16th July 2018
General Data Protection Regulation (GDPR) came into force on Friday May 25, 2018, amid a raft of mixed messages and media coverage.
A flurry of activity around that time suggested businesses were frantically trying to get their houses in order. The dust has now settled revealing three types of organisations; those that are GDPR-compliant, those that are in the process of becoming so, and those that have yet to begin.
Whichever category your organisation falls into, it’s not too late. There are simple steps that can be taken to ensure your business is moving in the right direction.
Don’t dread the data audit
The term ‘data audit’ was used an awful lot in the run-up to May 25 and while it sounds like an overwhelming task, a data audit is essentially about getting a handle on what data you hold and where it is stored. Delegate this task to a responsible individual within each department and put together a uniform template setting out what the data is (customer, client, employee, supplier etc) and where it is stored (electronically, filing cabinets, a box in the loft, etc).
Do a spring clean
Once you have rationalised what data you hold, put together a data retention schedule. This should be categorised into customer/client, employee and supplier data. The GDPR does not prescribe specific retention periods and it is therefore a case of your organisation justifying its retention of personal data based on its specific needs and legal requirements.
Delete, shred or anonymise any data that is surplus to requirements. Those responsible for IT need to carry out an electronic clear-out, and physical files should be securely destroyed or archived. This process will help hugely if you ever receive a subject access request from an individual, as you can’t be expected to disclose data you no longer hold.
A key driver for the GDPR is to give individuals enhanced rights. Consequently, your business is required to tell individuals what data it holds about them. Again, this will help to pre-empt any subject access requests.
You need to inform employees, customers, clients and suppliers what data you have, how it was collected, why it is processed, where it is transferred, how long it is stored for and what their rights are as individuals. A layered approach should be taken, with a privacy notice containing the above information situated on your organisation’s website and issued directly to individuals where practical.
Review your employment contracts to identify any clauses under which an employee consents to the processing of his or her data. Consent is rarely the most appropriate legal basis to rely upon when processing personal data. The GDPR recognises the potential imbalance in the employer-employee relationship and makes this approach unsustainable going forward.
Make sure policy matters
Introduce a dedicated data protection policy and make sure staff are aware of what is expected of them through internal or external training and seminars. It is vital to create a culture of data protection alongside putting in place robust policies.
While implementation will result in widespread changes in the vast majority of UK businesses, it’s not as radical a departure from existing data protection regulations as has been portrayed.
The above are some of the key steps you can take, but there are many more areas that fall under the remit of the GDPR. The imposition of fines by the Information Commissioner’s Office is not reserved for personal data breaches alone and can result from failure to implement internal procedures and non-compliance with the principles of transparency and accountability.
Although May 25, 2018, has passed, GDPR is here to stay.