This time last year, the GDPR forced organisations to prioritise data protection as a key issue and caused all sorts of confusion and consternation among the business community
Badged by the government as a law “fit for the digital age,” the General Data Protection Regulation came into force on 25 May 2018, with many companies frantically rushing to comply with its requirements before the deadline arrived.
Almost one year on, there are now three types of organisations – those that are GDPR-compliant, those that are in the process of becoming so, and those that are yet to begin. Whichever category your organisation falls into, there are still simple steps to take to ensure your business is moving in the right direction.
Data audits A “data audit” may sound overwhelming, but it is essentially about understanding what data you hold and where it is stored?
Developing a uniform template, which sets out what the data is (e.g. customer/client, employee or supplier) and where it is stored (e.g. electronically, filing cabinets, a box in the loft) should be your starting point.
The Spring clean
Once you have rationalised what data you hold, put together a categorised data retention schedule. As the regulations don’t prescribe specific retention periods, it’s up to you to justify what your business keeps based on its specific needs and legal requirements.
Deleting, shredding or anonymising any electronic or physical data that isn’t needed will help hugely if you ever receive a subject access request from an individual, as you obviously can’t disclose data you no longer hold.
Be transparent
The GDPR gives enhanced rights to individuals and, as a result, businesses are usually required to tell such individuals what data it holds about them. Inform employees, customers/clients and suppliers what data you have, how it was collected, why it is processed, where it is transferred to, how long it is stored for and what their rights are as individuals.
The “consent” myth
The idea that consent is the most appropriate legal basis to rely upon when processing personal data is a fairly common misconception. Each processing activity your business carries out needs to be judged on its individual merits, particularly with regards to employee data and direct marketing. Identifying the relevant lawful basis for processing is a vital, and often complex, task. Policy matters Introduce a dedicated data protection policy and make sure staff are aware of what is expected of them through internal or external training and seminars.
Creating a “culture” of data protection alongside these policies is vital. A note on Brexit It appears no issue is safe from Brexit. However things turn out, there will be an impact on data protection matters that will need to be carefully assessed, but for now, the advice is, unsurprisingly, to continue to be compliant with data protection law. It’s not too late The GDPR is not, in practice, as radical a departure from pre-existing data protection regulations as was portrayed last year, but there are still issues that need your attention and pragmatic steps that your business should be taking to stay on the right side of the regulations.
To discuss any data protection matters and how your business can work towards becoming GDPR-compliant, please contact Ben Jackson at Hay & Kilner Law Firm on 0191 232 8345.
