Media excitement concerning the General Data Protection Regulation (GDPR) may have died down now that we are nearly two years in, but the serious risk for non-compliant businesses is ever present. Commercial Solicitor Ben Ironmonger of Scott Bailey LLP sets out some useful tips on cost effective GDPR compliance.
It is easy for a small or medium business to put GDPR to the bottom of the priority pile and simply label it as more red tape, particularly given the regulations were brought in nearly a year and a half ago in May 2018, and the world has not stopped spinning yet. However, organisations shouldn’t be lulled into a false sense of security.
There is something of an inevitability that as more time passes, the Information Commissioner’s Office and other regulators are likely to become less lenient in respect of data breaches.
Directors are probably already aware that there are hefty financial penalties at stake, but supervisory authorities also have the power to suspend a business’s data processing activities on a temporary or permanent, basis. Clearly for some businesses this could be devastating.
It is therefore vital for business leaders to ensure organisations’ data processing activities are compliant. Here are a few points to help get you started:
Data processing audit
The starting point should be to carry out a thorough audit of your business’s data management. This helps identify GDPR gaps and potential weak points in your systems, which could lead to a breach of GDPR. There is literature on the Information Commissioner’s Office website to help businesses carry out such audits, or experienced professionals can provide guidance and support as required.
Go one step further
Carrying out an audit and putting it in the bottom drawer isn’t enough; implement any required action promptly. If there are changes you need to make, businesses should identify the ‘who, what, where, why and when’ straight away.
Do we need a Data Protection Officer?
Under the GDPR, a business must appoint a Data Protection Officer if:
- It is a public authority or body;
- The business’s core activities require large scale, regular and systematic monitoring of individuals; or
- The business’s core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
A business may appoint a Data Protection Officer if it wishes, even if not required to. The same requirements of the position and tasks apply whether appointed voluntarily or on a mandatory basis.
Do we need GDPR policies?
Yes. Whilst the cost of having properly drafted GDPR policies may be annoying, it is better to spend a little initially to help avoid a massive cost if it all goes wrong later on.
Examples of GDPR policies you should have include:
- Data breach policy – it is essential to have a properly drafted policy in place which is read and understood by all staff and covers exactly what should happen if a breach occurs.
- Retention and storage of data policy – it is important to be clear and transparent as to how personal data will be stored (including emails).
- Bring your own device to work (BYOD) policy – if your employees use their own phones, flash drives, laptops, and so on at work, then you almost certainly need one these.
Review international data transfers and relevant contractual documents
If you or a subcontractor transfer personal data outside of the EU, you must consider how you will comply with the GDPR’s requirement to have ‘adequate safeguards’ in place. This may involve having further contractual arrangements in place with the recipient of the data to provide your business additional protection. Are your contracts with suppliers and subcontractors compliant?
Employment contracts, handbooks and policies
GDPR is not just about customer and client data; you need to take care over your employees’ data too. Activity should include reviewing privacy notices for job candidates and other fair processing information given to employees, reviewing employment contracts, handbooks and policies.
Business leaders should also be proactive in training staff regularly on their data protection responsibilities.
Go one step further… again
As with the audit, it is not good enough to have excellently drafted and prepared policies. If staff aren’t aware of them and don’t follow them, then what is the point in having them? As with terms and conditions and other core business documents, businesses managers should continually liaise with others in the organisation to make sure rules are being stuck to and that prepared policies remain appropriate. Properly trained staff are less likely to make mistakes.
Data protection and new technologies, services and goods
Data protection is not just a compliance ‘box-ticking’ exercise under the GDPR – it must play an important role in key decisions and practices in your business on an ongoing basis.
Businesses and organisations must keep their data protection practices and policies under review to make sure every new technology, service or goods introduced to or by a business are compliant. If your business requires guidance or documentation to assist with your business’s GDPR compliance, the business solicitors at Scott Bailey LLP in Lymington will be glad to help.