A blog by GDPR consultant, David Campbell
Many Black Country businesses process the personal data of their customers and employees. If you do you need to ensure you are compliant with the new law by 25 May 2018- just over 6 months from now.
A new Data Protection bill is going through parliament and that will become law in due course. What the bill does say is that GDPR- which is a European Union wide piece of legislation will apply in the U.K.
Guidance on data protection law is provided by the Information Commissioner (‘ICO’). The Commissioner plans to offer additional guidance between now and when GDPR comes in to force.
However you can take the following steps now:
1) Find out exactly what personal information you hold. Check to make sure it is accurate and up to date. If you no longer need it for a business purpose get rid of it. Conduct a data flow exercise so you can see how you gather information, what you do with it, who gets to see it, who it is shared with etc.
2) Look at what part of the law allows you to lawfully process customer information. Did they consent or is it to fulfil an order etc. On the subject of consent was it freely given by the customer they having been fully aware of exactly what they were consenting to?
3) Under the new law you will need to provide additional information (such as the legal basis for the processing of their information- see 2 above) to customers when they provide information to you. How do your customers provide information – over the phone, on forms, via your website? Review any privacy notices that you have to make sure that they are fit for purpose. If they are not – revamp them.
4) Do you outsource the processing of your personal data to someone else? You MUST have a written contract with them. GDPR imposes additional obligations on processors. Do they have appropriate security in place to keep the data of your customers safe? Have you checked that what they say they do to keep information safe they actually do? Review any contracts you have and revamp them to make sure they are compliant.
5) Your customers will have enhanced rights as regards their information. They can ask for access, rectification, restriction, erasure etc. Do you have a procedure if a customer decides to exercise a right? If you don’t comply with a request you may find yourself on the end of a court application or a referral to the ICO.
6) Do your staff have an awareness of data protection? You need to take appropriate measures to prevent unauthorised access to or loss/ destruction of personal data. If you haven’t trained your staff and they don’t understand any policy or procedures can you say you have taken appropriate measures?
David Campbell is a Consultant/ Trainer in data protection. To arrange a free initial meeting or if you have any questions regarding the new (or current law) he can be contacted on 07397 943394.