25thMay is the day that seems to have crept upon many people, but during the last couple of weeks, unless you have buried yourself in a bunker with no connectivity or social media access, you will know from the volume of emails you have received, asking you do “Click to Keep in Touch”, that there is a sea change happening regarding data protection and privacy laws.
Any business, large or small, is beholden to the new GDPR regulations. Therefore, as of today, do you know the following:
1) Do you know the basis for which you are processing data? From 25thMay, there are six lawful reasons why you are processing data which allows you to be in the possession of the data you hold. These are consent, contract, legal obligation, vital interest, public task and legitimate interest. If you are holding or processing data, and you are not aware as to the reasons why, and they do not fall into one of the above categories, you could be in breach. Therefore, I would recommend that you understand your lawful basis for processing data.
2) Who is it that is responsible for monitoring your compliance and obligations under GDPR? If you are a sole trader, this is an easy question to answer. However, if your organisation is more than one person, who has the responsibility of being the Data Protection Officer, and how do you communicate who is responsible for any such enquiries to those outside of your business or organisation? If you are a small business, there is not a legal obligation upon you to appoint a Data Protection Officer, but it may be good practice to do so.
3) GDPR enhances individuals’ rights, relating to the data you hold upon them. Such rights could include the right to erasure, the right to be informed, the right to object, along with strict criteria regarding subject access requests. From today, are you clear as to what processes you have in place to ensure that requests are dealt with in accordance with GDPR regulation. If you have a Data Protection Officer, they will need to be familiar with the process and adhere to them.
4) Do you encrypt the data you hold? Although you are not under a legal obligation to do so, how are you going to protect the data you hold from third parties, in the event that the data is stolen, your systems are hacked, or maybe your laptop or phone is stolen. Although you cannot protect for every circumstance, you can put tools in place that will protect you against the probability of fines being landed, in the event that your data becomes breached. If you do not already do so, we will advise that you have a conversation with an IT Specialist regarding password protection and encryption emails.
5) In the event that data is breached, have you put in place a process in reporting the breach? Do you know who to notify, what time period you need to notify in, and who would be the contact of the organisation?
If not, Dawsons Law can provide such a policy, bespoke to your organisation, for a Fixed Fee price. Please do not hesitate to contact Salena Dawson at our Watton Office on 01953 883535.