It’s been an interesting few months looking through issues with clients: amazing how many skeletons can be found hiding in cupboards once you have a proper search for them. Three key areas that have been something of a revelation are 1. How many places personal data is held (other than those where it was intended or expected to be), 2. How much non-essential personal data has been accumulated because there is no system to review and remove it, 3. How many people/staff have access to personal data that they have no need of ever seeing.
The Information Commissioner has emphasised that the GDPR should be seen as “an evolution in data protection, not a revolution” and that if organisations can gain the trust of their customers by their safe handling of privacy and data protection “that provides a major opportunity and competitive advantage for those who can demonstrate that they get data protection right” [iconewsblog.org.uk 25 Aug 2017].
So, the next steps to consider in your preparation, knowing now what personal data you hold and why, are about what you’re going to do to support the rights of the individuals whose data you hold.
Obviously the first and, it may be argued, most important duty is to hold that information securely. There are many simple measures that an organisation can take to promote this security, including:
- Ensure that the IT systems are as secure as you can reasonably make them:
- Strong passwords to access any machine and data
- All machines and network devices (routers, firewalls, Wi-Fi) kept updated with software patches, firmware, non-default passwords, etc.
- Fully updated and familiar anti-virus and any other appropriate security software
- Staff suitably trained in basic security practices, what they should have access to and what they shouldn’t, and aware of how to report any concerns or inconsistencies. They should all know how to recognise a phishing email, what sort of message their anti-virus will show if it encounters something suspicious (rather than the scam messages that pop up on websites…), and how to handle an enquiry by someone seeking personal information
- The government “Cyber Essentials” scheme that enables even small businesses to gain basic accreditation for cyber security at low cost.
Next, you need to know (this is not a hope, or broad guess, but a certain knowledge) how you are storing personal data. What is held in which computer / server / mobile phone / office diary / tablet computer / filing cabinet / backup system, etc. An information audit will have revealed this to you, and now is the time to review whether this is what you intend to be happening, and whether you will be able both to maintain what you are doing now and to hold personal data securely. If not, you need to act urgently to formulate a policy for what is stored, where, accessible to whom, and from what devices. Other than merely being good practice, it becomes important to have this fully sorted out should you have to respond to a Subject Access Request (SAR). Likewise, should someone make a request that you update or delete their details, you need to have figured out how you will achieve this consistently and effectively across whatever systems you hold it in.
Also, knowing what data you hold you will be aware of the lawful basis for holding it. Should this be consent, rather than being needed to perform a contract or meet some legal obligation, you need to review how you obtained that consent to make sure it meets the new, tougher standards required by GDPR, how you are recording that consent, and how you enable those whose data you hold to withdraw their consent.
If you’ve been operating effectively under the 1998 Data Protection Act rules then none of this will cause any sort of headache. However, if it sounds rather scary then now is the time to get on with sorting it out. There is time to have it all ready for the GDPR start date of 25 May 2018, but don’t prevaricate…
Always happy to help with any part of these processes, so please contact us.