GDPR – Some Things to do Now
My first article on this subject focused on lawful reasons for processing and holding personal data. It particularly focused on the use of data for direct marketing and one when you need consent versus when you could potentially use legitimate interest. There are other lawful reasons for processing data and I will cover these in a later article. In this article I will start to consider some important activities to do as soon as possible.
As is often the case with regulation of this nature there is an element of interpretation and risk assessment to be done. For that reason, it is impossible to give a generic definition of what being GDPR compliant looks like. However, there are several definite do’s and don’ts that will get you 90% to 95% of the way there. That should put the risk of being fined to an extremely low level.
The first and most important action is to register with the Information Commissioner’s Office if you haven’t already done so. If you process or hold any personal data (even just a phone number of a customer or a supplier, or payroll details for your staff) you need to register and should already have registered under current Data Protection rules. Failure to do so is a criminal offence. The current cost for small businesses (turnover less than £26M or fewer than 250 staff) is £35 a year. This will increase on 25th May to either £40 or £60 (and extra tier is being introduced – see dp-fee-guide for details). The initial registration will take about 20 minutes. You’ll need to give some details of what data you process, how you process it and why. You can look at other entries on the register to get an idea of what this should look like.
You need to appoint a named Data Protection Officer or a named Data Controller. Which of these you need to appoint will depend on the size of your business. For small businesses it would be a Data Controller. If you operate as a sole trader, it will probably be you. It should be one of the partners in a business partnership or a director in a limited company.
The next two tasks might take a bit of time to complete so you should start them as soon as possible. It might already be too late to get these completed by May 25th, but you should at least make a start and have a plan in place to get these finished within a reasonable timeframe. This is far better than having nothing at all.
The first of these is to produce a data flow map. This needs to show every way in which personal data comes in to your business, what happens to it, where it is stored and where it can leave the business. This should include any situations where data is sent to third parties for processing and also where that data comes back in. Depending on the nature of your business this could be a complex task.
The second is to complete a data audit. This is linked to the task above but is more focussed on the actual data. You need to identify each class of personal data and specify for each
- Why you store it and process it
- Where you store it
- Where is it backed up – so it can be recovered in case of loss
- What security measures are in place to protect it from theft (e.g. encryption / passwords
There are other activities which I will discuss in following articles.
So, in summary:
- The first and most important action is to register with the Information Commissioner’s Office, which can be done via their website in the link here: https://ico.org.uk/for-organisations/register/
- Appoint a Data Controller
- Produce a data flow map
- Create a data audit
If you think there’s too much to do and you don’t know where to start, do just that – make a start, somewhere and on something. Take step one and plan some time to make headway into the subsequent steps. You may find it useful to read our article on time management and breaking tasks down.
Ian Roberts is the director of Steadcross Solutions Limited, which offers various business development and consultancy services under the Steadcross brand. Contact us if you would like to discuss an area in which we could help your business.
The information in this article represents a summary of our view of GDPR and is not intended as detailed guidance or advice. If you have questions about how GDPR affects your business please speak to your own legal advisers.