The General Data Protection Regulation, otherwise known as GDPR, comes into force May 25th 2018.
GDPR is Europe’s new law for the protection of personal data and is designed to increase the privacy of individuals. Whether a business is large or small, it will need to comply with new regulations for the collection, storage and use of personal data.
What Is Personal Data?
Personal data is information relating to an identifiable person (known as a data subject). This information can be the name of a consumer or a business owner, email addresses, IP addresses, photos, HR databases, CCTV footage etc.
Consent is not required when a business holds personal data for legal business purposes, such as payroll records that need to be kept for 6 years. Consent from the data subject is required when a business holds personal data for marketing and/or sales purposes.
Where To Start With GDPR
The UK’s GDPR regulators ICO have produced a self-assessment to help small businesses get started.
Decision makers should try to attend industry specific webinars to discover how GDPR is going to affect their business sector and with only months to go, companies need to begin the discovery, management and in turn protection and reporting of the personal data they hold.
– Discover and identify all data a business holds. Search paper documents, computer files, software applications and databases for personal information. Software tools such as Scan can help with personal data discovery
– Carefully delete and shred surplus documents that contain personal data
– Document the business grounds and legal basis for storing and processing personal data
– Check for proof of consent to cover personal data and request consent where it’s missing
– Check and revise third party contracts with companies that have access to, or process, data
– Review retention policies and decide how long personal data needs to be stored
– Consider how to deal with the removal of personal records (right to be forgotten) and introduce new systems and workflows
– Enforce encryption on all computers and check they have a Trusted Platform Module (TPM) chip to provide seamless integration with Microsoft Bitlocker hard disk encryption
– Introduce controls to restrict permissions and access to personal data
– Check data
– Review IT security and test cyber-security defences
– Document policies and introduce systems to manage data requests, security policies, privacy notices and data breach reports
– Plan and test a data breach like you would a disaster recovery test. Test all staff know the protocol in the event of a breach
How Can Fentons Help?
Fentons recommend a best practice approach to IT security and can help businesses with the IT aspects of GDPR consultancy.
Ultimately it will be the responsibility of small business owners to instruct employees and outsourced GDPR experts the task of discovering and managing personal data within an organisation.
As there is currently no certification or accreditation for GDPR, organisations will not officially achieve GDPR compliance. If a company leaks or loses personal data, the ICO will take into consideration the processes, workflows and security before issuing fines.
Contact our friendly team of IT consultants to see how we can help your business improve IT security and assist with GDPR compliance.