Starting to address data protection can seem like a daunting task. In these situations, a back-to-basics approach is needed to separate the wood from the trees. We have listed below five practical steps you can take to start your journey towards compliance.
- Get to know your processing. It is vital that you know what personal data you are using, why you are using it and where it is stored. Ask individual/teams to make a list of the data they use, who it relates to and why they need to use it. This will help you to zone in on any high-risk processing (e.g. processing large volumes of sensitive data such as health data), to make sure you are only using the data you need and that you have good reasons for using it.
- Make sure you are telling people about the processing. Being transparent about your data processing is very important. You need to tell people what information you are processing, why and how you are doing this and let them know about the rights they have in relation to the processing. You will need a to create a privacy notice which contains information required by the GDPR.
- Keep your data secure. A data breach can cost you your reputation, your customers and potentially a significant amount in fines (up to 4% of your annual turnover for the previous financial year or £17.5m/€20m, whichever is greater) so you need to think about the measures you can put in place to secure physical documentation (for example, ensuring personal data is kept in locked cabinets and that access to the premises is controlled) and electronic information (for example, fire walls, data backups, strong passwords, access controls etc.). You also need to think about how you would handle a data breach.
- Consider what you need to demonstrate compliance with data protection law. Do you need a Data Protection Officer? Have you got precedents for the documents you need to complete, such as Data Protection Impact Assessments, Legitimate Interest Assessments and a Record of Processing Activities? Do you need to register with the ICO or other regulators?
- Ensure your staff know how to handle personal data. Staff need training and guidance on how to comply with data protection law. Having clear and easy to follow policies and procedures in place, as well as a regular training schedule, is vital.
Hopefully you now feel ready to make a start, but should you need additional support to help you get there, we offer a range of services which can be tailored to your needs, so please feel free to get in touch here