In the third part of the GDPR blog series we’re covering how your business needs to change ahead of GDPR. You can read our GDPR blog series by following the links below:
- The General Data Protection Regulation – An introduction to GDPR
- How the GDPR affects the personal data you hold
- Plan how you need to change ahead of GDPR implementation
- How GDPR gives rights to individuals and their data
- What is your lawful basis for processing data
- GDPR gives you a duty prevent and report data breaches
Plan how you need to change ahead of GDPR
It’s easy for small businesses with heavy work loads to ignore the GDPR, to perhaps see it as an unnecessary burden, but it is to be taken seriously. In reality, it’s something you could use to your advantage. Many customers will appreciate you being transparent with compliance and it could add real value to your business, maybe even bring in new customers. It’s going to be far easier in the long run to be compliant than constantly spend time trying to explain how you can avoid it.
When planning how your business needs to change for GDPR it’s important to remember this affects both your employees, suppliers and customers, or indeed anyone else’s data you store. You need to know what data you hold, how you gathered it, why you hold it and how it’s used. If you’re holding on to data for longer than necessary, for reasons the individual isn’t aware of, or for no other lawful basis, you should remove it.
It is recommended that your company quickly takes steps to designate responsibilities for data protection compliance. This could be a specific individual or perhaps a small team within some larger organisations. You may also want to consider creating the role of ‘Data Protection Officer’, but this is only required for public bodies and organisations who monitor individuals on a large scale.
The most important thing is that someone within your company is taking proper responsibility of data protection. This person should have the knowledge, support and authority within your business to carry out the role effectively. All your staff should be correctly trained to identify an issue and be aware of the need to report any mistakes to the responsible person. It’s ultimately down to business owners to ensure you have the right procedures in place to detect, report and investigate any personal data breach.
Implement new data processing systems
You will need to implement systems that will allow any data access requests to be processed within 1 month. Under GDPR individuals have the right to access all personal data you store, ask how you collected it and request you completely erase all the data you hold on them. Once a request in received you will have one month to carry it out, this can only be extended in mitigating circumstances.
In some extreme cases you may need to the report any data breach to the ICO but this is only required where a breach poses a serious threat to the individual. This includes (for example), if the person could suffer financial loss, damage to reputation or other significant economic or social disadvantage.
Perform due diligence of supply chains
You may also want to consider performing due diligence on your supply chain. You will want to ensure all your suppliers are also GDPR compliant to avoid any issues impacting on your business. Part of the new regulations requires that you have a written data processing agreement with any supplier you share personal data with – this includes any software that you utilise to store any personal data.
The use of data processing agreements ensures that both you and any data processor understand your responsibilities under GDPR and ultimately help all parties to be compliant.