You may have heard about new rules to do with data protection, but do you know how GDPR affects your business? Firstly, here’s a little background to the new rules.
GDPR stands for General Data Protection Regulation and is essentially an update to the current Data Protection Act (DPA), which is now 20-years-old. New regulations are coming into force on the 25th May 2018; however, the final document was approved two years ago.
How GDPR Affects Your Business
GDPR affects your business if you operate within the EU or if you are based outside the EU if you offer services to EU countries. If you fall into either category, you need to identify whether you are a data processor, a data controller or both.
The Information Commissioner’s Office (ICO) identifies these as follows:
A controller determines the purposes and means of processing personal data.
A processor is responsible for processing personal data on behalf of a controller.
In simpler terms, if your company collects and keeps data on living people and has a say in how that information is used, you are a data controller. If you use this personal data whilst performing specific duties for the owner, you are a data processor. Data processors cannot use the data for any other task than the one they are contracted to fulfill by the data controller.
Examples of data processors include accountancy or payroll firms, who use the employee data held by their clients to carry out their business. However, these companies are also data controllers if they employ their own staff, as they will also keep personal information on their own employees.
What Must Data Processors Do?
By law, data processors have to keep up-to-date records of the personal data they have received, as well as information on how they used it. If you are a data processor, you are held legally liable for any data security breaches of data you process.
Responsibilities of Data Controllers
Although processors are responsible for the security of the data in their hands, controllers are obliged to ensure contracts they enter into with data processors fully comply with the terms of GDPR.
If you haven’t started your journey towards compliance then you really need to start now. The amount of work involved is huge, but some simple steps to take now are:
Take an audit
What kind of data do you store? Take a look at the platforms and the devices on which you store your data. Check the security of both. Some platforms are not GDPR compliant, so make sure you check the status. If they do not meet the standard, look for something else.
Make an action plan
Should you suffer a data breach, do you know what to do? Put a plan in place so there are no panic moments.
Subject Access Request (SARS)
If a customer requests the information you hold, would you know how to respond? Would you know how to delete information if requested?
Put a plan in place now – your audit will help facilitate this.
Review your data
Delete any old data that you do not need. You must be able to explain exactly why you have that information if the ICO asks your reasons for storing it.
Marketing online? You need to have written consent and evidence of how you collected that data, so keep records.
The ICO is likely to be more lenient when auditing companies that can show they are taking steps to implement GDPR than when dealing with firms who have not even started the process.
These pointers won’t make you compliant but show you how GDPR affects your business and what you need to do. The ICO website contains further information. If you want help moving forward with your journey, Supportal can support you through the process. Contact us today to find out how we can help you become GDPR compliant.