Matthew Cole, partner at law firm Prettys, has shared his top tips for ensuring individuals and businesses keep their compliance regulations on track
It was the new data regulation which had every company in the UK talking about when it was first introduced a year ago last weekend.
The European Union’s General Data Protection Regulation (GDPR) saw a major overhaul of how businesses, regardless of size, handle personal data.
Firms must evaluate how they collect, store and process personal data to protect a person’s privacy – and 12 months on, many are still finding the regulation a challenge.
- Re-evaluate your current GDPR plan – When businesses first started putting together their GDPR procedures and policies, it was all a bit of a rush. Most people wouldn’t have been fully compliant even after putting these procedures in place, as there was so much to do.
Therefore, it is worthwhile to see what you have achieved and what still needs work. GDPR compliance is very much a continuous process, and now is a good time to look at how you can adapt it for future innovations.
- Give all staff basic training – GDPR can be difficult to understand and organisations need to be proactive in training their staff to ensure they are up to speed with all the necessary information. When new staff members are joining a company, they should be given basic data management training, and everyone should have some understanding of how their organisation uses data.
- Know your data! – Organisations should understand what data they process, what they do with it and who they share it with. To do this they can conduct an audit. The hallmark of any audit is to understand what kind of personal data you’re using, where it comes from and where it goes. If you get these things right, you can’t go too far wrong.
Rather than looking at the procedures once a year to review the policies, there should be someone on hand whose responsibility it is to constantly look at ways to improve the way the business handles data and futureproof their GDPR compliance policies.
- Sort out your IT systems – Companies should also make sure their IT systems are up-to-date and as secure as possible. They can use Cyber Essentials, a Government scheme that helps protect companies from all kinds of cyber-attacks.
- Have clear policies in place to prevent security breaches – A breach in security is arguably the worst thing that can happen when it comes to data. In order to prevent this from happening it is important employees have an awareness of the policies within the company.
In the rare case that a former employee attempts to steal data, you need to be prepared. To prevent this from happening, there needs to be clear guidelines in place, including clearly stating that all data is owned by the company.
Staff should also be prohibited from storing data on personal devices and sending it to personal email accounts.
You can get software which monitors if staff have sent data to themselves. The most important thing is just to be vigilant and carry out regular checks. Do simple things like regularly change passwords, keep web systems up-to-date and make sure privacy policies are accessible and accurate. An organisation’s data consent needs to be explicit and not include pre-ticked boxes like many e-commerce companies still do.
- Make sure you don’t become data confused – There can be confusion surrounding what data actually is. Often people think it isn’t data if it doesn’t contain a name or address. But data is actually anything that can help you identify an individual, so it is very wide ranging.