GDPR is the original EU legislation, incorporated into UK law by Data Protection Act 2018. Since then, firms violating privacy and security standards can be penalised with fines of up to tens of million of pounds.
Why is GDPR important?
GDPR improves the protection of our data, and clarifies what companies that process personal data must do to safeguard their customers. All companies and organisations that deal with data relating to EU citizens must comply by GDPR legislation, but Michael explains that many business owners fail to understand how to remain compliant.
So what are the 5 key steps to nailing GDPR?
1. Identify and map
You need to understand what personal data you process, communicate the correct information to your customers, process personal data in compliance with the law and manage the risks associated with processing personal data on a continual basis. The personal data that you process changes daily and what you do with the data will change over time as you introduce new functionality and work with different suppliers. You must learn to consider data protection consistently and update documentation and processes as needed. Compliance is a journey, not a destination.
2. Figure out the legal basis for each processing activity
It may be consent, it may be a legal obligation, it may be because you need to process the personal data to provide your goods and services or it may be that you have a legitimate interest in processing the data.
3. Investigate data transference
Investigate whether you transfer any personal data outside of the UK and EU – including to service providers who may store it elsewhere or be located abroad. If you are a med-tech business processing sensitive health information about people, you need to know exactly where and how that data is being processed and have extremely robust systems in place to ensure that that personal data remains secure. A breach could have disastrous consequences. In contrast, if you operate a click-and-collect online store, you may only hold the names and email addresses of your customers, meaning that the risks associated with data processing are smaller.
4. Get your documents in order
A Privacy Policy is an important document that should be published by almost all businesses. However, most businesses store personal data in third party software (CRM systems, accounting systems etc). You will want to have a Data Processing Agreement in place with those suppliers requiring them to process your personal data in a compliant manner. If they transfer the data outside of the UK, you will need to put Standard Contractual Clauses (SCCs) in place with the processor. Everything to do with businesses is about risk management. Data protection acts exactly the same way.
5. Let your team know
Make your team aware of obligations and ensure your customer services team understands the way you process personal data, what you do with it and how they should respond to queries. If you can nail the client interaction and make sure your customer team responds in the right manner, you can shut down a lot of potential complaints and risks before they get too far.
You can download our brochure for a full breakdown and Introduction to the General Data Protection Regulation (GDPR).