25th May 2018 is a date which should be etched in the mind of anyone responsible for a business or organisation – large, medium or small. This is the date when GDPR (General Data Protection Regulation) officially becomes law – and affects any business working with or holding any kind of personal data. There are hefty fines threatened for those who fail to act to protect the data they hold.
What do we do now?
Don’t ignore GDPR and hope it will go away!
As a business you need to consider what data you store about employees, clients or anyone else about whom you hold information. This could be genetic, biometric, political, religious, or concerning sexual orientation in addition to basic information such as name, address and age.
Because the circumstances of every business or organisation are different, there is no ‘one size fits all’ set of rules which can be universally applied. So take some time to consider the following:
- Check your data handling systems, databases, what information they hold and what you need to keep. Establish what permissions you now need, to hold this information; find out what you must destroy.
- Where do you store the information you hold? How do you share it? For example do your staff use it on unsecured personal phones, laptops etc. Is it locked in a secure place? Who holds the keys? This applies not only to client information but to staff records.
- Communication – do you have a policy of telling people what you hold, what it will be used for and who will use it?
- Access – what policy do you have for staff or clients to access the information you hold on them?
- Consent – do you have consent to use this information?
- Children – this is a particularly important area which must be looked at carefully
- Data breaches – what processes do you have to prevent a breach, and what is your policy for informing and reporting a data breach should it occur?
- Data Protection Officer. Do you have a person responsible for data protection compliance within your organisation?
If you are unsure about what to do, find an expert who can assist you. They can help with data audits or advise you on your company’s individual needs. For smaller organisations it may be preferable to outsource the role of Data Protection Officer to someone with the relevant expertise.