You may know what GDPR is, the key roles involved and the necessity of training your employees – but what else can you do to make sure you’re GDPR compliant?
1. Determine what data you need
Before you can determine what data you need, you first need to realise that data comes in many forms. From names and addresses, to financial records and bank details, to employee records and dates of birth; essentially anything that can help identify an individual is considered personal data.
Next, in order to adhere to GDPR, you are only allowed to keep/hold data that is necessary, and for the shortest amount of time possible. This means you can’t stockpile data or keep databases with old customer information on it.
To begin the overall process – and provide you with proof that you’ve followed protocol – you must first obtain clear and explicit consent from individuals (employees, suppliers, customers, etc.) to collect and store their personal data, and they must give this to you freely. This can be achieved by providing them with an easy opt-out option at first contact, and then every time after when you make contact (so they can opt-out at a later date).
NOTE: you can never assume inactivity on their part is their consent to use their information. It is not a legitimate way to confirm consent, so NEVER use pre-ticked check boxes. Instead, you must clearly explain to them what information your business is collecting and how it will be used. If they don’t agree to this, then you aren’t permitted to capture or store this data under any circumstances. This includes conditional data collection where data is collected as a condition of using a service i.e. offering them an incentive to sign-up to your newsletter then using their data to market to them.
Likewise, you need to be careful of any data that falls into special categories i.e. political affiliations, religious beliefs, sexual orientation, ethnic origin, etc. as under Article 9 Special Categories, this information could be used to discriminate against the individual. As such you will need to obtain their consent to store this information.
2. Be clear on where data is stored
GDPR applies to all data stored anywhere in your business. This means emails, customer databases, mobile phones and third party platforms (i.e. cloud based services such as Dropbox and Microsoft 365) are subject to GDPR.
For this reason, it is important that you create a transparent and easily accessible policy that clearly outlines:
- how and where data will be stored – it is especially important that you define the process for how data will be accessed and under what circumstances, as you may encounters instances where data processors need access to elements of this data (usually phone numbers and mailing addresses).
- how data will be secured (i.e. encryption and SSL on your website).
- how it will be transferred – you need to create a plan of how data will be transferred, as it is at its most vulnerable when it is moved (between departments or shared with third parties – so they can deliver customer service). You will need to place strict limits on how data is taken out of your business, especially when it comes to laptops and USBs. In other words, there will need to be restrictions.
- who will have access to it – this will ensure that only those who require it will have access to this information, no one else.
TIP: whenever possible, try to use encryptions. This will strengthen your security measures and make sure no information can be gleamed without knowing the procedure to decipher it.
3. Define how long it is stored for
Within your data processing and storage policy, you should outline how long data can be stored for – without engagement – before you must send out a request for re-consent from the individual (once this time is up).
If re-consent is not given or the data is no longer required; you will need to securely dispose of it. This includes the individual not responding to your request. If there is no contact, you still must delete their data.
NOTE: removing data that is no longer needed is a great way to reduce costs and increase security as you can control how much data you’re storing. We suggest putting a timeframe in your policy stating that after x amount of months it will be deleted.
4. Emergency plan in the event of a breach
With hackers getting more creative with their methods for accessing information; you need to be ready for the possibility of a data breach. To help with this process, you should create an emergency plan as part of your GDPR compliance checklist. From accidentally misplacing a laptop that has got customer details on it, to getting hacked internally/externally; this plan can help you to prepare for every eventuality.
- Tip One: encrypt your data – this will reduce the fine your business receives in the event of a data breach, as the ICO will be able to see that you implemented security measures.
- Tip Two: all data breaches must be reported to the ICO within 72 hours (at the latest) – this report should detail how it happened, what is being done to contain it and your next steps. Again, having a policy in place will make it easier to handle breaches as all of your employees will be aware of the correct protocol. Even more so, if they have all received appropriate GDPR training.
- Tip Three: data owners should be told any time there is a security breach – this doesn’t always have to be the result of your business being hacked. Simple mistakes such as losing a laptop or accidentally giving a contractor access to your data can happen, so it is essential that you are transparent with everyone.
5. Ensure network of contractors and suppliers are compliant
It is not only your business that needs to be compliant. Anyone you work with, including contractors and suppliers need to adhere to GDPR.
And this point is particularly true if you’re a small business, as it is likely that you’ve got a network of contractors and suppliers working with you. So even if you employ less than 250 people, if you’re working with a large business, you will fall foul of GDPR if they are not compliant.
For this reason, you need to ask contractors to compete a GDPR compliance form about how they handle data, security and storage, as well as the type of data that they’ll handle. This will ensure that they meet all the requirements for GDPR, and that you can assure your customers and employees of their security measures.
Another thing you can do is ensure that your contract specifies that the supplier/contractor is GDPR complaint. You can also include a right to audit their business i.e. making onsite visits so you can review their processing procedures.
Otherwise known as a Subject Access Request, these represent any EU citizens right to ask for access to any data that you hold about them; with the right to either correct any inaccurate data or ask you to delete any, if not all, data you hold. This can range from referring to them in email messages, to your customer records, to electronic notes.
Now we won’t lie – dealing with a SAR is time consuming as you will likely have to go through hundreds of documents and data entries, before compiling it into a report and correcting any inaccuracies in your records. Because of this, there is a 30 day limit for you to complete a SAR, and as such, it is essential that you have a plan in place to deal with it, should a customer, supplier or employee send you one.
Referred to as Fair Processing Notices, these will act as proof that you handle data fairly and transparently, and should be displayed on your website for all to see. Within these forms you will explain:
- How you capture data
- How you use personal data
- Who you hold information on
- What information you hold about them
- Who you share information with – the categories of recipients you may be sending the personal data i.e. customer, employee, supplier, etc.
- How long you will hold it for
- How you process and store it
- How data is kept safe
- How SARs can be submitted i.e. how individuals can request access to their data
In addition, every time you collect data, you should provide a link or include details of the FPN. This will help individuals to fully understand how your business will use this information.
NOTE: to help maintain transparency and ensure that everything in your FPN remains true; you will need to regularly review how data is gathered – covering everything from getting consent, to your processing procedures, to who handles it, to how it can be accessed. This will ensure that you have covered all of your bases and that you are compliant within every area.
Although they are not a mandatory part of GDPR compliance; there are certifications you can take as a business that will make it easier for you to adhere to the necessary regulations.
A good example of this is the ISO 27001 certification. This is an internationally recognised standard which ensures the responsible management of information. It is also designed to help identify any gaps in security or potential risks to information, before providing you with guidance on how to resolve it/prevent it from happening.
We appreciate that after reading all of this, you’re probably thinking GDPR is a lot of hassle. However, it can be used to add value to your business and bring in more custom, as your clear compliance with these regulations will assure individuals that you won’t misuse their information. Instead, it will help to build trust in your business as they’ll know that while it is in your care, it will be 100% secure and protected.
Still not sure how to handle GDPR? Contact our team at Economit. We can perform an audit of your processes and help you to determine the best course of action for maximising data protection and making your business compliant.