You’ve seen and heard the term ‘GDPR’ for a while now, and for the most part you know your business is compliant, but are you regularly reviewing your compliance to ensure that it stays that way?
Very often when new legislation comes into effect, we see a slew of legal and business experts rushing in to dissect, analyse and interpret each section, each hoping to offer their clients the simplest and quickest way to comply with the law. As business owners, we appoint compliance wizards to help us complete our checklist and, once every box has been ticked, we sit back, satisfied that we are compliant and nothing more needs to be done.
And that is where the problem begins.
Compliance with The General Data Protection Regulation (or GDPR as we know it) is not a singular effort that can be undertaken once and never looked at again. Businesses need to regularly review their policies and practices to ensure that they remain compliant and, where they find that they are falling short of the law, implement changes to remedy this as quickly as possible.
We know though, that business owners are focussed on building their businesses and the last thing they want to be doing is spending large amounts of time reviewing their GDPR compliance or having to pay a hefty penalty because they never took the time to do so!
Here is a quick guide which you can work through at least once a year, to help you stay on top of your GDPR compliance.
1. Controller or Processor?
Is your business a data controller (you decide what personal data will be collected and why) or a data processor (you process personal data for, or from, someone else)?
Understanding your role under the GDPR is critical to ensuring compliance. For example, if you were previously a controller and you are now also processing personal data, a review of all your policies and processes will be required
If your answer to any of the above questions is no, you should audit how data comes into your business, including any consent that is obtained, and what processes it flows through.
2. Are your grounds for collecting and using personal data still valid?
- Do you have an appropriate lawful basis for processing people’s personal data?
- Do you handle their personal data fairly and in ways that they would expect?
- Are you open and honest from the start, about how you will be using their personal data?
- If you use personal data for a different purpose than originally intended, do you get specific consent for the new purpose?
- If you use special categories of personal data (such as political affiliation, religious beliefs, sexual orientation, etc), have you obtained explicit consent from an individual to store this?
If your answer to any of the above questions is no, you should audit how data comes into your business, including any consent that is obtained, and what processes it flows through.
3. Are you collecting, processing, or holding data you don’t need?
GDPR requires that you only hold data that is adequate, relevant, and limited to what is necessary. If you are stockpiling data or holding databases with old customer data, you are likely to fall foul of GDPR. In addition, if you are holding data for longer than your retention policy stipulates it may be held, it must be deleted.
An annual audit of the data you hold and a revision of your data processing policies and procedures will ensure that you are staying in line with GDPR requirements.
4. Do you have a retention policy?
Retention policies list the types of record or information you hold, what you use it for, and how long you intend to keep it. They help you establish and document standard retention periods for different categories of personal data.
It is also advisable to have a system for ensuring that your business keeps to these retention periods in practice, and for reviewing retention at appropriate intervals. Your policy must also be flexible enough to allow for early deletion if needed.
5. Are you keeping personal data accurate and updated?
Whether the personal data must always be up to date depends on what you use the information for. If you use the information for a purpose that relies on it remaining current, you should keep it up to date.
In other cases, however you do not need to update the information, BUT individuals must be given the right to have inaccurate personal data corrected. It is also recommended (but not mandatory) that you have a standard form which people can use to request a correction to their personal data.
6. Do you have a data consent policy?
A data consent policy clarifies the process that your business follows to ensure that you have obtained clear and explicit consent that is freely given by an individual. The individual must actively agree to this and if they don’t, you may not capture and store their data under any circumstances.
To comply with GDPR, your business must be able to show that you have obtained consent for the data that you hold.
7. Do you have a data storage policy?
GDPR covers all data no matter where it is stored (email inboxes, customer databases, mobile phones, third-party cloud-based services, etc), so every business should have a data processing and storage policy.
This policy determines where customer data is secured, how it is protected (for example, encrypting the data and securing a website with SSL), and who has access to it. It is also good practice to create a plan for how data is transferred, as well as to place limits on how data is taken out of the business.
8. Do you have a data breach handling procedure?
GDPR requires that you have an emergency plan in place in the event of a data breach such as a laptop being lost or stolen, with customer details on it. Encrypting data can significantly reduce the fine your business would face if there was a data breach.
9. Have your staff been trained on data handling in the last 12 months?
It is important that all employees receive appropriate and regular (at least once a year) training about GDPR and your private programme, including what its goals are, what it requires people to do and what responsibilities they have.
10. Do you have a Subject Access Request (SAR) policy?
Any citizen can request access to all the data you hold about them in its entirety. This is known as a Subject Access Request (SAR).
Dealing with a SAR is time consuming, and a strict 30-day limit applies for completing the request, so have a plan in place to handle requests from staff, customers, and suppliers.
11. Have you ensured that your suppliers are GDPR compliant?
Businesses often rely on a network of contractors and suppliers, and while small businesses are exempt from this requirement, this exemption falls away if they are working with a larger business that has more than 250 employees. If the large business is not compliant, the smaller business will fall foul of GDPR.
12. Do you have a data processing notice (also called a privacy policy)?
Data handling must be fair and transparent, so every business needs to create a document explaining how your business deals with data. Known as a Fair Processing Notice (FPN) or privacy policies, this document should be displayed prominently such as on your website.
It should detail how you capture data, how you process and store it, and how an individual can request access to it via a SAR. You should also ensure that any time you collect data you provide a link or include details of the FPN so an individual can understand how your business will use their data.