The new General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018, bringing with it a raft of new data protection and privacy obligations. However, many businesses are still unsure as to how they should update their privacy policies and data privacy for customers.
To help you get some clarity, Mike Heath, Head of Business Systems at Polyco Healthline, who is responsible for our compliance with the European General Data Protection Regulation, talks about the steps we have taken towards becoming GDPR compliant.
When it comes to compliancy, Mike believes this can be broken down into five key areas:
Understand what data you have
To understand what data we have, we carried out a data audit with our nominated data owners (see below). This means looking at all the places we hold Personally Identifiable Data (PII) and Sensitive Personally Identifiable Data (SPII), not forgetting things like paper files or files people may have stored locally on their PC desktops. We then validated all the information gathered in the audit to ensure that the data we store is actually required. Any data that we didnt need to conduct business or couldnt justify keeping under a Legal Basis for Processing was securely disposed of.
Manage your data
Managing data is a wide-ranging topic which is hard to cover in its entirety, but some of the key points we had to consider were:
- Updating all our policies, or creating new ones, relating to how we manage data. This included new Data Protection and Retention Policies and updated Website Terms and Conditions. Additionally, key new policies were our Data Breach Policy (the GDPR is very specific regarding how a breach is managed and dealt with) and our Subject Access Request policy " once again the GDPR is very specific about how you have to respond to a data subject who requests access to the data you hold on them.
- Ensuring the security of data is paramount. The simple questions you need to ask are: Do I need to keep this data? And if so, why? And who actually needs access to it?
Ensure data has an owner
The Head of Business Systems cant be responsible for everything! Data ownership means ensuring that a person in your organisation responsible for data in their care can give a legal justification for that data to be held and only used for its designated purpose. They are also responsible for ensuring that its only retained for as long as is necessary (covered by the Data Retention Policy) and is only available to staff who need to use it to do business.
Secure your data
Once again, data security is a very wide subject. Key considerations here were things like access to our IT systems " ensuring that user groups only had computer accounts applicable to their jobs. For instance, would your Receptionist really need access to the HR system? If you can safely justify it, then thats fine, but if not, then access should be revoked. Data encryption is an important part of data security. Weve all seen the news where USB sticks or laptops are lost and data is exposed. The simple answer is to ensure that any form of mobile computing is encrypted, using appropriate software.
Make your business security aware
Finally, security awareness is not a topic that has been strongly considered by many companies in the past. I often hear “thats ITs job! We all have a responsibility for security. Weve carried out roadshows for our staff, educating them not only about the GDPR, but also general security hints and tips. Weve published our policies and guides both on our intranet and on noticeboards. Well be carrying out regular updates to staff through all theses methods. Essentially, we will get to a point where every member of staff considers the data theyre handling as important as their own bank details!
In closing, Id say that whilst some people may consider GDPR to be just a legislative box-ticking exercise, its not! Just think " how would you feel if your personal data was exposed to the world? Aside from the monetary fines than can be levied against a company found to be in breach, the brand damage could be enormous. After all, how could a customer trust you if you cant keep their data safe?
If your still not sure about GDPR, take a look at the: Information Commissioners Office website