May 25th has come and gone and hopefully most companies will have taken steps to comply with the General Data Protection Regulation (GDPR). Just like other businesses, we at ProAktive have reviewed, adjusted and changed the way we work and therefore we thought it would be a good idea to share some hints and tips about what to do now the GDPR is in place.
- Treat personal data like you would cash.
It might seem like a pretty obvious statement to make, but companies should ensure that they are taking care of personal data, for employees, clients and third parties alike. In today’s world, personal data is extremely valuable and therefore businesses should treat it like they would cash. Would you leave cash in the office for people to see or would you lock it away? Would you hand over money to a third party without making sure they were legitimate and regulated? The financial risks to not looking after personal data properly are significant, not to mention the potential damage to your reputation, should you experience a breach.
- Don’t store data for the sake of it – only collect and keep what you need.
It’s important to take a risk-based approach to collecting and storing data. Think of personal data as a commodity or like stock. Most businesses would agree that you should store enough of it in order to be able to run your business but keeping too much can be a higher risk (theft, fire hazards etc). If you treat personal data in a similar way, storing large amounts can make you a bigger target for a hacker as well as the impact of a data breach being much larger. You should only store data that you need to run your business and deliver your goods or services and for the GDPR you need to evidence a legitimate business reason for controlling or processing that personal data.
- Keep an eye out for case law
Since this is a new regulation, interpretation and evolution is at an early stage. It remains unclear on how this will change and evolve and where the ICO will draw a line about practices which are and aren’t acceptable. Many areas are still ‘grey’ and therefore it’s important to keep a look out for any enforcement action being carried out by the ICO. We will of course continue to share with you any interesting development, stories and guidance.
The ICO have released their April 2018 figures which show that over 8,000 ‘concerns’ were reported that month. They also issued five monetary penalties to companies who were making or sending unsolicited marketing calls and messages, accounting to £531,000. They have a further 132 cases under investigation.
If you’re still unsure as to whether your policies, processes and practices comply with GDPR, especially in regards to your employees then please contact us on 01302 341 344.
By Kris Kerins BSc (Hons) PGC (Tech Mgmt) – Risk Services Adviser