A no-nonsense guide to GDPR

There’s absolutely no getting away from GDPR at the minute, and with everyone keen to share their take on it, it can be hard to know where to start to ensure that your company complies with the change in legislation. Here, we share our straightforward approach to help you get to grips with what you need to do.

The UK Data Protection Act is set to change. This outdated law was created in the nineties and with the digital age offering new ways of working and how we handle and store data, this will be replaced with the much-needed and up-to-date Data Protection Bill.

The new regulation aims to strengthen the rights of citizens to data privacy. This means that every business, which deals with information on the public or employees, must meet new standards of security and transparency.

GDPR

So what does this mean?

Every business, regardless of size and sector, almost certainly holds, stores and processes information for both their own staff and the public. In-line with this new law, how you store, manage and process data for anyone will change. Organisations must analyse the data they currently hold and review their consent procedures to ensure they meet the new standards.

And what do I need to do?

The key is to ensure you put a plan in place now. Ensuring you have an effective and compliant strategy prepared, which will save you much hassle (not to mention a hefty fine) in the long-run.

GDPR

Here is our simple, 11 step guide on what you need to do now.

  1. Audit and retention: An information audit is required to establish what personal information you hold, how you received it and store it and how and who you share it with and how long you hold this information for.
  1. Review privacy notices: Issue privacy notices to those who you store personal data on, advise them of the detail of the data you hold, why you hold it and remind them of their right to withdraw their consent at any time.
  1. Review employment contracts: Ensure your employee contracts and all relevant policies are updated in line with these new changes.
  1. Individuals’ rights: Ensure you have a well defined process in place detailing the right to request deletion of personal data or how data is communicated electronically.
  1. Access to data: Outline how you plan to handle requests for data, including compliance within the new timescales.
  1. Explain your lawful basis for processing personal data: By law, you need to explain why you are holding information.
  1. Obtaining consent: Decide if you need consent to hold and process the personal data you have and if so, ensure you get this consent before 25th May (consent is not always required).
  1. Security measures: Ensure you put proper provisions and procedures in place to secure data such as: password protection, encrypting data, procedures for working at your desk or in an open office environment, homeworking and mobile workers.
  1. Personal data breach: Should a breach of personal data occur, a policy should be in place to detect, report and investigate such issues and ensure the breach is reported within the specified timeframe.
  1. Assigning a data protection officer: Assign a responsible individual within the business the responsibility for ensuring compliance.
  1. Train staff: Ensure you train all staff on compliance and train them on your procedures implemented to avoid data breaches. This will protect the company from hefty fines.

william-iven-22449-unsplash

What happens if I don’t comply?

There are many serious implications for the company including reputational damage where your company could be named and shamed for a data breach.

However the most serious of all is the fines that are imposed for a data breach which can be up to 4% of your annual turnover or fines of up to €20 million. 

Where it all went wrong for some…

Whitehead Nursing Home – Staff payroll details and residents’ personal data was able to be accessed from a stolen laptop (FINED £15,000)

Moneysupermarket – Sent a mass e-mail out to individuals who had unsubscribed (FINED £80,000)

TalkTalk Telecom Group – They had an insecure portal and individuals were able to get unauthorised access to personal data (FINED £100,000)

So as you can see there is significant financial risk with not getting to grips with your requirements around GDPR.  This is not the time to bury your head in the sand. If you need some help with getting compliant, get in touch with us here and we will be able to guide you through this.