What is GDPR?

The GDPR (General Data Protection Regulation) came into force within the UK on May 25th 2018 and is designed to modernise laws that protect the personal information of individuals. It replaces the Data Protection Act 1998 placing greater obligations on how organisations handle personal data and introduces higher regulatory fines for non-compliance and data breaches.

GDPR affects all UK businesses who process any information about EU citizens meaning the way you operate must comply with this new legislation.

Any organisation that collects data, online and offline, must have clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures to remain compliant.

Under GDPR, the Information Comissioners Office (ICO) can impose fines of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.

How do I make my business GDPR compliant?

There are a number of ways to make your business GDPR compliant, from familiarising yourself with your company’s data processing procedures to security measures that will avoid data breaches. Here are our 7 steps to compliance:

  1. GET TO KNOW YOUR DATA: Getting to know all the personal data in your business is vital to ensuring you are GDPR compliant. Map where all of your personal data comes from and document what you do it, where it resides, who has access to it and any potential risks associated with it. Identifying this will enable you to manage your data efficiently and securely.

  2. SPRING CLEAN YOUR DATA: GDPR encourages a more regimented treatment of personal data so it is advisable to clean up your data, securely removing any data or information that is unnecessary or unused. It is important to consider why you are saving your data, what the benefits and goals are of keeping all of this personal information and whether disposing of it has more financial gain than encrypting it. Implement a data retention period and ensure any unnecessary data is deleted within the specified time limits.

    You can further minimise the risk by limiting access to personal data to the specific employees who need it in order to perform their job.

    Remember, personal data must be disposed of securely and safely to prevent a data breach. Wales Recycle I.T. are experts in destruction solutions for IT equipment and will help you ensure that your data is disposed of confidentially and securely.

  3. SECURE YOUR DATA: A breach of data not only contravenes GDPR and jeopardises your clients’ trust, it could also see you faced with fines of up to €20 million or 4% of group worldwide turnover, whichever is greater. Therefore, it is vital that you develop safeguards throughout your company by implementing security measures to prevent data breaches and quickly notifying individuals and authorities within 72 hours if a data breach occurs.

    The Information Commissioner’s Office (ICO) recommends pseudonymisation and encryption of personal data as ways to reduce the risk of data subjects. Pseudonymisation encodes personal data with artificial identifiers and can be used to re-identify the subject whereas encryption renders data unintelligible so that only people with access to a secret key or password can read it. Either method provides a legitimate way to address the security of processing personal data.

  4. REVIEW CONSENT GUIDELINES: Under the GDPR, pre-checked consent boxes or implied consent are no longer acceptable. Instead, companies are required to gather explicit consent from clients regarding the acquisition and processing of their data. To comply with this, it is wise to review and amend your company’s processes for obtaining online and offline consent.

  5. UPDATE YOUR WEBSITE: There are a number of steps you should take to enable GDPR compliance on your website:

    • Include a privacy policy that details what data you collect from your website, your legal basis for processing the data and how you share it with others.

    • Provide a cookie policy outlining the cookies you collect on your website and what you plan to do with them.

    • Install a cookie banner notice so that when a user first visits your site, they can accept and choose which types of cookie they are happy for you to collect.

    • Feature any required consent checkboxes on your web forms, ensuring they are unchecked and separate for each type of processing activity.

  6. EDUCATE YOUR STAFF: Train your employees on what constitutes a personal data breach and teach them how to recognise and report any mistakes as soon as they are identified. Educate new staff on your data processing policies and keep existing staff updated on any changes to those policies. Encourage the entire team to think of personal data as a valuable commodity which needs to be protected at all times.

  7. IMPLEMENT DATA PROCESSING POLICIES: Under the GDPR, individuals have a lot more control over their personal data. Consequently, businesses must have detailed policies that cover how they will obtain legal consent from individuals regarding their data, how they will delete or transfer a customer’s data securely and how best to communicate a data breach. Setting out a clear data protection policy will minimise risk to your data and build mutual trust between your clients and company.

GET GDPR COMPLIANT TODAY! 

The GDPR massively affects how you must handle, dispose of and store personal data. It is best to devise and implement a clear, company-wide plan that details how you manage data in order to comply with the GDPR to avoid data breaches.

Read more about how to make your business GDPR compliant on ICO’s website.

You should seek legal and other professional advice on how to achieve full compliance.