Familiarise yourself with GDPR and what it means to you and your business.
Carry out a full audit of what data you hold:
Why do you hold this data? Review the basis on which you collect data – Why do you need the personal information? Data must only be collected for specific, explicit and legitimate purposes?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. It should also be easy for consent to be withdrawn.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
How long do you keep it for? It can only be kept for a reasonable amount of time and this will depend on your own business needs and circumstances.
How do you store it? Is it secure? – Are your electronic/physical storage of data and deletion systems secure? Is it on a personal device – if so is it secure?
Privacy Notices – State what information is being collected, who is collecting it, how it is collected, why is it being collected, how it will be used, who will it be shared with. This should be easily identified and accessible.
Data Protection Officer – consider the appointment of DPO which should be someone senior within the company.
Right of Access – An individual may request the information you hold on them – you have 1 calendar month to process this, with no fee payable.
Act Promptly if there is a Breach – you have 72 hours to report a breach to the ICO with a duty to inform any individual affected by it. Keep an audit trail of the collection of data – this may be requested if there is a breach. The fines for not doing so are up to 4% of turnover or £20 million.
Make sure all staff aware of their obligations and any new processes?
Don’t ignore GDPR!
These notes are intended as general guidance and are not intended to be relied upon for giving specific advice. FULL DETAILS OF THE REGULATIONS CAN BE FOUND: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Why not get in touch, I’m on 07823 449485 or email me on firstname.lastname@example.org I’m always looking to widen my audience and have more connections and give advice.