It has been one year since the General Data Protection Regulation (GDPR) came into force in the UK. According to Thomson Reuters, over half of UK businesses believe that they are failing to comply with GDPR, and the number of SMEs who believe that they may be infringing GDPR is on the rise. If you want to check that your business is compliant, here are out top 5 tips to ensure that you are meeting your business’s data obligations.
1. Conduct an audit and risk assessment
Under GDPR, businesses must conduct regular audit and risk assessments on the data they hold and how it is processed. To ensure that you have a suitable framework in place, the questions you should be asking your business during a data audit include:
- What data is being collected?
- Where is the data collected stored?
- Why is the data collected?
- How is the data processed?
- How long is the data stored?
- Who can access the data?
- Is the data being transferred?
- Is the data needed?
By conducting an audit, you can ensure that you are not holding unnecessary data, that data is stored correctly and therefore correctly assess and mitigate any risks of data breaches.
3. Asking for consent
One of the biggest changes brought about by GDPR is the high standard set for consent. If you have a lawful basis for collecting personal data, you may not need to gain consent from clients when collecting their data. However, consent is one of the main legal bases for collecting personal data under GDPR and it is essential to know when and how consent must be obtained.
Consent means giving individuals a real choice and control over the collection of their data. Under GDPR, consent requires a positive opt-in and must be given in a clear and unambiguous manner. Evidence of consent must be kept by your business, and you must have procedures in place to enable people to withdraw their consent and have their data removed.
4. Appoint a Data Protection Officer (DPO)
GDPR requires certain organisations to appoint a Data Protection Officer (DPO), but even as a small business owner it may be a good idea to appoint a DPO. A designated DPO will help ensure that somebody is accountable for monitoring internal compliance and is responsible for conducting data audits and updating data policies.
A DPO can be an existing employee or externally appointed by your business. The DPO will act as a contact point for the ICO (Information Commissioner’s Office), any customers you hold data about, or any employee in your business who has any data-related concerns. The DPO is not personally liable for data protection compliance and will not be penalised for performing their duties.
5. Train your team
One of the main reasons why small business owners are failing to comply with GDPR is due to staff misunderstanding the requirements of GDPR and how data should be used, stored and transferred.
Under GDPR, training staff is a legal requirement and all staff should understand the basic principles of GDPR and be able to act in compliance with the law. In addition to mitigating the risk of data breaches, training staff can also be used as evidence to prove that you have taken the appropriate steps to implement GDPR and is likely to reduce the danger of your business incurring any fines.
Overall, we don’t think that there is an expectation from regulators that all businesses are 100% compliant with GDPR and will factor in variables such as the size of your business and the amount of data you hold.