Jay Bhayani is a solicitor, HR specialist and regular unLTd columnist.
Data is everywhere around us, from the data we hold on employees, to the marketing lists we use to promote our services.
With the General Data Protection Regulations set to come in to force on 25 May 2018- how can you ensure that your business is protected?
Although there are still some points of guidance which need to be finalised, there is plenty for you to be getting on with to ensure that you are data compliant.
So, what can you be doing now?
The Information Commissioners Office (ICO) have released guidance and you can find a wealth of information on their website but here are our top 10 tips to help you get started.
- Why do you collect and hold data? You are required by GDPR to give more information to individuals on how their data is used than you previously will have had to. If you don’t fully understand the reasons behind why you have collected and held the data, then how can you provide the individuals with the information?
- Stop collecting any data that there is no legitimate need for. Once you have completed point one, you should have a good idea of what data you need and what data is superfluous.
- Check your data protection policies and privacy notices. Will they need updating to incorporate all of the additional information required by GDPR?
- Ensure you are entirely clear on what could be considered as personal data. This could also include online identifiers such as IP addresses.
- How do you get consent from either your employers, clients or customers to use their data? The phrase used within GDPR is ‘explicit consent’. How are you going to ensure that the data you gather is done so with the explicit consent of the person in question?
- Ensure that staff are aware of the key changes within your policies and procedures. Schedule in training for all staff so that they are aware of any changes and how this will affect them and how they carry out their duties.
- Complete an audit of how long you retain data. Many organisations hold personal data for a prolonged period of time, ask yourself is this necessary? You may not need to change your practices on these points, but data should not be held for longer than is reasonable.
- Complete an audit of all of your contracts with suppliers. The additional requirements of the GDPR may mean that they need updating to protect both yourself and the supplier.
- Liaise with any suppliers you use who could potentially process personal data for you. Especially the suppliers who may be based outside of the EEA. There are additional requirements when dealing with suppliers outside of Europe.
- Record any preparations. You will need to evidence that you are compliant with all GDPR requirements. In order to fulfil the ‘accountability’ concept you will need evidence to back up any action taken.
Hopefully by following these tips you will put yourself in a much more informed and stronger position when changes need to be implemented in May 2018.
For advice on specific aspects of your GDPR requirements, you can contact us on 0114 3032300 or email email@example.com.