With around a month since the GDPR came into force, it seems like the furore around it has begun to die down. In the months and weeks leading up to 25 May 2018, companies were furiously researching the new rules and regulations, updating their privacy policies and sending out emails to clients and customers. It seemed like 25th May was the be-all and end-all, and many companies are now likely breathing a sigh of relief that they got everything organised in time.
However, the set of laws that make up the GDPR are designed to protect people’s personal data in the long run. Don’t become complacent: you need to make sure that you remain compliant so that you don’t accidentally commit a data breach. Not only would this be bad for your customers and for your company’s image, but you could also end up with a hefty fine.
Ensure Continued Transparency and Accountability
When your business is carrying out its day-to-day operations, it still needs to keep data protection in mind. Not only do you need to consistently adhere to the GDPR, but you also need to be able to demonstrate this in order to be deemed compliant. You need to keep thorough, clear and accessible records detailing what personal data you hold on an individual and how it is stored, including evidence of their permission for you to hold the data.
The best way to do this is to have set procedures in place for recording and monitoring data storage and GDPR compliance. You also need to make sure that all employees are aware of these processes and that they are enforced and executed consistently.
Consider Personal Data You Might not Have Thought About
A lot of the focus of GDPR enforcement has been on client and customer data, especially as regards the collection of data for marketing purposes. However, it doesn’t matter who the personal data belongs to: it still falls under the scope of the regulation. This includes, for example, employee information or the details of people who apply for jobs at your company, as well as other third parties.
Make sure you take all these types of personal data into consideration and that the data is treated in the same way as client or customer information.
Make Sure You Delete Data Properly
The right of erasure—that is, properly deleting data—is another important aspect of the GDPR. Many companies are used to archiving data that they no longer need, but under the GDPR you need to fully wipe data if you are no longer authorised to possess it. This means that you need to be able to locate it if and when required and delete it fully. This is something to think about when storing files: it needs to be clear where all copies of an individual’s personal data are kept, for quick and easy access and erasure.
Know What to Do in the Event of a Breach
Even if you take all the necessary precautions, unfortunately, a data breach can still occur. For example, data may accidentally be sent to the wrong person, or a computer containing personal data could be stolen.
Dealing correctly with data breaches is a core part of the GDPR. In certain situations, you will be required to notify the affected party about the data breach within 72 hours. You also need to have procedures in place for identifying, investigating and recording data breaches. For more information, see the ICO’s web page on personal data breaches and GDPR.
Most business will have already researched and be up to speed on the new legislation. However, the key now is to remain vigilant. Make sure that data protection is integrated into all of your business operations and procedures so that you don’t have any mistakes or near misses.