This time last year everyone was in a panic about GDPR coming in. So, a year on, and how are things now? Many assumed it was a one-time process or thing they needed to do, or that as they didn’t have many employees, that it didn’t apply to them, which is simply not the case.
We recently had Sarah from Percipient Consulting chat to us at networking about what our responsibilities are in relation to protecting personal data. Here are some of the things to be aware of, and steps we all need to take.
Complete a Personal Data Inventory.
This isn’t as scary as it sounds. Think about what data you hold in your business, where it comes from, how and where you store it. You then need to think about what you do with it, and how long you realistically need to keep the data for, and how to dispose it when you no longer need it. Then document this. Personal data isn’t just names, addresses and emails, but also includes digital photos, biometric data, IP addresses and much more.
Register your business with the Information Commissioner’s Office (ICO).
This can be done easily online, and costs from £40 a year. Many businesses aren’t registered when they should be, leaving themselves open to a fine of up to £4,000. You can find out more details here, and register your business here.
Policies and Procedures
We should all know about privacy policies, cookies, and opt-in boxes for websites, which are one part of what we need under GDPR. Other things to put in place is a procedure of what to do if you have a data breach. Not all events are reportable, but by having a process in place, you can work out quickly if it is reportable, and how to report it. With breaches, you only have 72 hours from when discovered to report it to the ICO, so it is best to have a procedure documented so that all staff know what to do as soon as it is discovered.
A Subject Access Request (SAR) Procedure is also needed, and all staff need to be aware of what a request may look like, and what to do when they receive one. There is no set way of someone requesting the information, and it can come through by phone, letter, email, social media etc. If someone asks for details, it is mandatory to comply, and you only have 30 days to respond.
Do your Suppliers Comply?
Not only do you need to think about how your company complies with Data Protection law, but what about your suppliers, or others you work with? Do you give them any personal data? If so, how are they looking after it? Are they GDPR compliant?
Are all your staff trained on phishing emails, and data security? This really is a growing issue, as those looking to defraud are getting smarter in their techniques. Passwords are key, and ensuring the one password isn’t used for everything! Email passwords in particular should be kept secure, and not used elsewhere. Imagine if someone was able to get into your email account. What else could they then access? Online banking accounts, systems that you use daily that have a forgotten password reset option? Social media accounts? The list is endless.
There are other things to consider, and ISO27001 is useful to look at. Things like locking down USB ports to prevent data transfer via memory sticks can help. Educating staff on when to use the BCC on emails to lists, rather than adding everyone’s names to the TO or CC box.
So why should your business comply?
Fines for not complying with GDPR can be huge. It can also damage your business reputation, and may result in you losing customers and eroding trust win your business. If you are reported to the ICO, it can take up a huge amount of time and money with investigations, not to mention the stress involved. If you do have a breach, and have shown you had put in place steps (i.e. processes and procedures) to prevent breaches, the ICO will look more favourably on you, and work to help you make improvements to your processes.
Compliance with GSPR can also help prevent fraud. Supplier mandate fraud (a ‘supplier’ contacting your company to change their bank details for future payments) is one example of this, which cost the UK £92.7million last year. Another is CEO fraud, where someone will try and impersonate the CEO using details from Companies House/social media etc to impersonate a CEO or other high-level person in the business, to coerce staff into transferring cash, or authorising payments to them. Mortgage converting fraud is also another type of fraud that is also rising in the UK.
If you would like to know more about GDPR, and how to protect data within your business, Percipient Consulting can provide Data Protection Awareness Training, runs seminars on compliance issues and will work with you to ensure your business is doing all it can to make sure you are handling data safely and appropriately. You can contact them on 07857 648 009, or firstname.lastname@example.org
If you would like to attend our next networking event, you can find the details here. Spotlight Newport networking events are held twice a month, in Rogerstone and Caerleon.