With the deadline for the new data protection regulation fast approaching, we look at some simple measures to take now to improve your GDPR compliance.
The new European-wide General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. This means tighter regulation around collecting and storing personal data for all businesses, large and small. This isn’t something you can ignore – everyone who has any kind of organised storage of data (from filing cabinets to computer systems) is covered by this regulation, irrespective of the size of the business.
Personal data is any information that can be used to identify an individual, either by itself or in combination with other data. Personal data includes everything from names, addresses, bank account details, credit card numbers and IP addresses (your computer’s identifying number) to email addresses, photographs, videos, passport details, driving licence numbers, educational background information and so on.
Take a broader look at the GDPR Regulation and its implications, or read on for an immediate action plan.
GDPR compliance is about looking after your customers’ and employees’ personal data safely and securely. As long as you work out what personal information you’ve got, and put processes in place to deal with accessing and securing data, then you are likely to be going a good way towards being compliant.
It’s difficult to give precise instructions, as each business is unique, and only you can work out what data you hold and how you store or work with it. Nevertheless, there are specific steps every business can take to try to ensure it stays in line with the new regulation.
Whether it’s employee records, customer details, sales and marketing information – make a complete list of what personal information you are holding within your business, why you are holding it, where you are storing it, and for how long you intend to keep it.
Ensure you’re only collecting the data you really need in the first place. There can be a tendency to over-collect. For example, businesses sometimes ask for a customer’s date of birth for future marketing purposes. If you don’t need it, don’t collect it - and then you won’t have to worry about looking after that information.
Another way of reducing the data you’re using is to avoid taking copies of data that’s available on a system - for example, downloading data to work on it - try to work on data on the original system if possible.
If there is a lawful business reason to keep data, for example a warranty or a repair contract, you do not need to delete it. But how much data on former customers or employees are you holding that you don’t actually need? ‘Just in case’ is not a valid business reason, and may be breaking the law.
It can be helpful to set a time after which you should automatically delete personal data – for example, a certain number of months or years after completing a job.
Your laptop, phone, cloud storage or any other device that holds personal data needs a secure password, which is not shared. If you need to share a laptop, keep a record of who has access to the same files and access codes.
When staff members leave your company, you should immediately change the password access to business devices, and ensure they no longer have access to your business premises.
If possible, use a program that encrypts data. This will ensure that if your device is lost or stolen, the data cannot be used. See our article on cyber security for more tips on creating secure passwords and keeping your systems and devices secure.
There's a series of basic security measures you should take to ensure you won’t lose data through illegal access to your business premises, including:
In addition, if you keep personal data on file in physical form, ensure it's kept locked away in filing cabinets and not freely accessible to anyone walking into the building. Do not leave documents containing personal data lying around on a desk – this could be a security breach if they’re stolen or used by someone who shouldn’t be able to access that information.
CCTV and video surveillance counts as personal data because it captures images of individuals that can be used to identify them. If you use CCTV on your business premises, the Information Commissioner’s Office (ICO) has produced a five minute online checklist to help assess your system’s compliance. After filling in a questionnaire, you’ll get a report with clear recommended actions and further reference materials to help you stay in line with the regulation.
Under GDPR, you are responsible for the safety of any personal data. At Which? Trusted Traders we use Sharefile (a secure content-sharing program) rather than email to exchange confidential documentation, in order to protect the data from being lost or stolen. If you want to share data over email, you should password protect any files you send.
If you’re going to share personal information with a third party for marketing, you need explicit permission to do so. This means that you can’t just give a customer or employee’s details to another individual or organisation without asking for permission to do this, when you first collect the information.
If you wish to send marketing emails or texts to your contacts (where you keep in touch to try to encourage repeat business), you need to let people know that you may do this when you collect their email addresses or phone numbers in the first place.
You may want to ask people to tick a box to indicate they agree to receive email or text marketing communications. Pre-ticked opt-in boxes are specifically outlawed by the new regulation, so check you don’t have those on your website.
Anyone can ask to see the data you hold on them. Ensure you’ve got a process in place to retrieve specific data if necessary. Under the GDPR regulation, you must give people access to all the information you hold on them within 30 days of receiving a written request (that could be via email or letter).
This could be as simple as sorting out your filing cabinet, or it might need to be more sophisticated if it means pulling all emails and documentation relating to a specific individual.
Data loss isn’t something that only happens to large companies. Most breaches come from employees sending information to the wrong place - that can happen in organisations of any size.
Under GDPR, you are responsible for protecting the data that you hold or process. The best method to avoid data loss (also known as a breach) is to protect your data – use encryption if possible, choose secure passwords and keep physical data locked away securely.
Think now about how you would handle the situation if the worst were to happen. Who would you contact and how would you resolve the situation? Put together a data breach process, which could include:
The ICO is responsible for supporting businesses to implement the new regulation. Its website has an online tool to determine whether the GDPR will affect your business.