GDPR – Practical help for SME
Following on from my blog “What is GDPR and what does it mean for small business?” I was contacted by a number of you asking if you could some more detailed advice on the differences between the Data Protection Act and the new GDPR.
This isn’t my area of expertise, so I asked around and a contact of mine put me in contact with Chris Hunter whose specialism in in this sector and has written numerous blogs about GDPR. I contacted him and he kindly agreed to write a blog to try and answer your questions:
The upcoming GDPR is causing quite a kerfuffle and even a little panic. Lancashire based HM Network have been very proactive with GDPR awareness these past months helping businesses around the North West get on the right path to compliance. They are here to demonstrate that it is not all bad news, it can actually be seen as an opportunity to engage with customers and instill customer confidence. With plenty of free resources and expert help at hand, GDPR should be embraces not ignored:
If you are a business and collect, process or hold any personally identifiable data (PII) on individuals including staff and customers, then you should be aware that the laws around Data Protection & Data Privacy will be getting a major overhaul as of 25th May 2018 under the General Data Protection Regulation (GDPR). You could look at it as the current Data Protection Act (DPA) on steroids. These changes are actually long overdue and should improve the way organisations of all sizes operate.
Businesses often think of “data” as digital media, but it is important to point out that it can also include printed matter, images and video too. Do you hold any paper records with customers names or addresses or contact information on? Do you keep information for longer than you should? Do you have documented policies on data retention? Do you have the proper consent to collect and use the information you already have? With these changes come substantially increased obligations for Data Processors and Data Controllers.
We have been hearing from lots of small businesses who didn’t think that the new laws would affect them. We urge all businesses to take the time to review their current position, focus on what needs doing, and get help where needed. It should reduce risk of potential breaches which could lead to action and even significant financial penalties. If it helps set the scene, when we started looking into GDPR for our own business, we did not think that it would affect us much either but we were proven wrong.
As a result we now run #GDPRexpress sessions around the North West to spread awareness about GDPR with expert speakers including Organised Crime Squad, InfoSec & Cyber Security, legal, Data Protection Practitioners and more.
Once you start reviewing your current position, it helps you deal with the tasks in hand. Like with anything complex, breaking it down into bite size sections helps you focus attention on specific areas. Being able to demonstrate that you are planning and making provisions is a big step, and could really help matters if the ICO were to get in contact with you.
The information below is directly from the Information Commissioner’s Office and is accompanied by a handy PDF that can help businesses across all sectors with their GDPR readiness journey. I’ve already covered the 12 steps and the self assessment in this blog so head over and have a read if you haven’t already.
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2 Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3 Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4 Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5 Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6 Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
9 Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10 Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11 Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
Remember that the GDPR is all about protecting information and giving increased rights to data subjects like you and I. If as a business you are protecting data relating to your staff, customers and suppliers, it will instill confidence and is ultimately a business benefit.
There is plenty of help out there, talk to your tech partners, your legal people and your suppliers.
If you need any pointers we are happy to help.
Future events, examples of useful tools, the ICO Free 12 Steps Guide and much more can be found at http://www.hm-network.com/free-gdpr-tool-kits/
About Chris Hunter:
Hi I am Chris Hunter. Director at HM Network Ltd Including SMi-Fi Social WiFi, ICT Data Specialist, Music producer, DJ, husband and Father. I have always had a keen interest in audio and technology, these two passions have been a big part of my life as long as I can remember. I studied music technology at college helping me gain the skills to make and understand music.
In my working life have held positions in the licensed trade including BII accreditation, bar club and radio DJ, audio visual installation engineer, record label manager, sales executive and ICT data specialist.