Are you still in the dark about GDPR?
Posted on 17th December 2018 at 12:34
It’s now been over six months since the implementation of GDPR. Have you checked your company's GPDPR compliance? According to GDPR:Report, only 21% of businesses in the UK believed they were GDPR compliant by September. Where is your company on their GDPR compliance journey?
Many believe, it doesn’t affect them, as they’re only a small business and they might have heard that it only affects business over 250 employees. This is only partly true.
Brexit or not, GDPR is not going away, as any business dealing with people in the EU has to make sure their data is stored safely and collected according to strict rules and regulations. Gone are the days when we could simply add someone to your mailing list, just because you received their business card. This is no longer a legitimate way of list building.
It is important not to put your head in the sand about GDPR. Here are some basic guidelines that might help.
Does GDPR affect you?
Let’s start with a look at who is affected by GDPR. It applies to every company holding personal information and doing business with citizens in Europe. It does not matter where the company is based, it might even be on another continent. It also doesn’t matter whether the data processing takes place in the EU or not. If your customers or clients are EU citizens, you are subject to GDPR.
It is also important to note, that GDPR is not just an IT issue. It has implications for the whole company, from marketing to sales, accounting to HR, purchasing to customer service.
Understand what data you are holding
What is personal data? It refers to any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable person is one who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Do you have policies and processes in place should a customer or supplier raise a SAR (subject access request)?
Under GDPR, individuals have the right to access the data you hold about them. This means you have to provide a copy of their data free of charge. They also have the right to have their data transferred to another provider or deleted if they choose. How will you do this?
You need to have policies and processes in place to
Establish the identity of the person asking for their data
Collect all the data you hold about them
Delete as much or all of the data you hold if the individual requests it. You may need to keep some elements of data for HMRC purposes if they were an employee.
Transfer the data to another provider safely if needed
Do your staff know what to do in case of data breach/ransom ware attack?
The ICO (Information Commissioner’s Office) is responsible for enforcing GDPR in the UK. Who in your organisation is the person responsible to inform the ICO in case of a data breach?
This is the person who needs to be informed should the worst happen. They have a maximum of 72 hours to inform the ICO from the moment the breach was discovered. Ideally the breach should be reported to the ICO within 24 hours.
Your company needs to make any possible attempt to keep their data secure. You need to have precautions in place to prevent cyber-attacks or ransomware threats. Failure to do so can ultimatelylead to large fines. It is close to impossible to be 100% secure but you have to protect yourself to the best of your abilities.
The ICO are there to help organisations in the first instance so make use of their resources and guidance.
How Green Giant Consulting can help
You can also talk to us about our GDPR awareness training for you or your team and also our Data Protection Officer as a Service (DPOaaS) where we act on your behalf giving you the right advice and guidance. In addition, we can provide fixed priced packages to ensure your GDPR compliancy.
Get in touch and find out how our GDPR Consultancy services could help your business. You can call us on 0844 259 6210 or visit our Contact Page to book your FREE initial review.
Share this post: