OK, that’s not what it stands for, but the General Data Protection Regulations are here to stay, and it’s imperative that we get it right.
It seemed to be on everyone’s lips in the run up to the launch in May 2018, when it replaced existing Data Protection regulations. Six months later, and it’s old news, right? Wrong. We need to be sure we don’t get complacent now the hype has died. By embracing the changed regulations and embedding a robust policy now, we will see a positive change to our day-to-day workings. It’s best practice for our businesses and great customer service for our clients.
What is the GDPR?
The GDPR is Data Protection brought up to date. It’s a more customer-focused approach to the way in which personal data is handled, shared, accessed, and used by organisations, and it applies to us all. From sole traders to global corporations – the regulations affect us all in some way.
The GDPR details the rights that protect an individual’s personal data; Personal Data being defined as a piece of information that can identify any living person. This could be a name, email address, IP address, or even pseudonymised personal data – think of it as any data that is an identifier.
The new regulations not only enhance the rights of individuals, but also determine the obligations placed on organisations. Businesses are now accountable for the way in which they handle, control, or process any personally identifiable information about EU citizens.
What does this mean for me?
Your staff, your clients, and your customers all want confidence that you will manage their sensitive details responsibly. Your Data Protection policy is a working document, which details the process your business follows to ensure compliance – how you ensure data is used responsibly and is kept safe. Risk assess your current process, and base your policy upon your findings. Detail why you collect the data you do, how it is processed, where it’s held and for how long, and what security measures you have in place to protect it. Explain how you obtain your data, who has access to it, and how it can be accessed, if required.
Note: If your organisation has more than 250 employees, you must have this policy in place. All you SME’s out there, I’d still recommend implementing a policy; it’s good practice and will help future proof your organisation as it grows.
Firstly, you must have a valid reason for collecting and using personal data, You must be transparent about how you will use it, and how it is collected, and used. Customers now need to give a clear consent to share their details and for you to retain them – no more double negatives on those tick boxes.
Remember, you can only use collected data for its intended purpose. Make sure you highlight the reason (the purpose) why you collect, use and securely store data.
Be sure to outline how long you will hold data for – and ensure it isn’t any longer than necessary – No keeping hold of it “just in case”, I’m afraid. New purpose = new consent required. Keep data accurate and have a clear, justifiable, retention period stated in your policy.
New regulations make it easier for individuals to access any data held on them; there is no longer a £10 charge for data requests and organisations have a strict deadline whereby they must provide the information – 30 days to be precise. Your policy should include how requests are made, and how your organisation will respond to such requests.
As of May, Regulators are now able to heavily fine businesses that fail to comply or that breach regulations, so being clear about your approach, documenting process and training your staff is now more important than ever.
The GDPR now states that small offences could face a penalty of 10M Euro, or 2% of global turnover (whichever is greater). A more serious breach and you’re looking at a fine of 20M euro or 4% global turnover. Let’s put that into perspective. TalkTalk faced a fine, in April, for a breach of DP – they were charged £400k. Had that breach occurred in May, after the new regulations were introduced, they would be looking at a whopping 59M fine.
So what counts as a breach?
Any act that puts sensitive data in jeopardy. For example, you store your data on a non-secure website, and you get hacked – that’s a breach. You’ve not securely protected someone’s personal data. Say your employee prints some sensitive data and it gets in the wrong hands, be it unintentionally or even maliciously – you got it, that’s a breach.
All breaches must be recorded. As soon as you are aware of a breach, you have 72 hours to report this to your nominated staff member, as per your policy. Depending on severity – if the breach is a risk to people’s rights or freedoms, you must also report it to the ICO, and you must inform everyone affected. Make sure you contain and resolve the breach immediately. Remember to take stock, review your process, and learn from the incident – look at preventative measures to safeguard it happening again, and update your policy to reflect this learning.
By being aware of your obligations, and by keeping your customers at the forefront of your mind, you can easily be compliant. By bedding in good practice now, you can safeguard your business in the future. Your policy will organically grow as your business does – it’s much easier to implement now than retrospectively; cultures are notoriously hard to change so it’s worth investing the time now to Get Data Protection Right (see what I did there!)
1. Risk assess how data enters, flows around and leaves your business
2. Use your findings to compile your Data Protection Policy
3. Ensure you have the correct safety measure in place
4. Report any breach promptly, internally and externally if required
5. Train your staff so they can be confident with your policy and follow it accordingly; embed it so data protection becomes a part of business as usual
6. Review your policies and customer databases regularly.
Debbie Edwards, Executive Assistant.
Debbie is an EA with years of experience, currently supporting the Director of Global Programmes at Penny Appeal, a humanitarian charity organisation supporting Muslims around the world. Debbie also offers remote executive support, advice, policy creation & implantation and administration on a freelance basis.
Take a look at Debbie’s Linkedin Profile.