Regulatory requirements sometimes seem to multiply and Data Protection can appear to add another layer of complexity for organisations. This can feel frustrating. These 6 top tips for Data Protection compliance can lighten the load.
Firstly, remember that this regulation refers to personal data only. Personal data about your staff, customers, suppliers or others that you engage with.
Secondly, it is important to differentiate between ‘no compromise’ requirements e.g. informing subjects about how you use their personal data and their rights, and other requirements which can be satisfied in a manner that is appropriate for the scale and nature of an organisation. Don’t find yourself led into over-engineered processes.
Top 6 Tips
Personal data that is in your possession has become a liability that needs to be managed. Having completed many gap-analysis, these 6 top tips are most likely to help you to avoid unnecessary liabilities.
Know who is likely to take an action against you.
Action is likely to come from staff, someone who owes you money, members of the public or from data breaches. Be mindful of this and take action to close off these possibilities as best you can. This will minimise risk to the organisation.
Contracts, notifications and signage
The fundamentals are simple; inform people of what you are doing with their data and of their rights. Informing staff or customers in contracts, or others by way of good signage will keep you compliant is this regard. The employee handbook is an ideal place for this information.
Use of cctv/GPS/biometric
If you use these technologies, particularly where they include the public or employees at work, you need to understand how to use the data properly. These technologies need to be used for specific purposes and use of his data for other purposes is prohibited. From a legal perspective, misuse of the type of data can result in an ‘own goal’ should an individual take an action against you.
Prepare for access request
An Access Request from an individual is likely to be the first touch point for an action against you. If the request is from a state body you need to be mindful that this is on foot of a crime or suspected crime and that you may need to stand over your actions in court. In either event sticking to a formal process is essential to ensure that you act in a compliant and lawfully manner. You can find an Access Request template free of charge on First Compliance’s site
Taking basic but essential actions will demonstrated significant effort to protect your personal data and avoid many forms of cyber threat or harm to the organisation:
- Know how you will react to a breach event. It is time-sensitive and speed is of the essence so it is important to prepare.
- Keep you operating software, antivirus and firewalls up to date.
- Password protect your mobile devices (particularly your smartphone) and encrypt particularly sensitive data.
- Never share your passwords.
- Be sensitive to phishing attack i.e. emails encouraging you to click onto links, transfer money, share your personal data, or take other actions. Your bank will never ask you for confidential information online. Great phishing attacks make you feel as though you would be stupid if you question the e-mails authenticity. It is important to be very cynical and suspicious of e-mails and never to be afraid to question.
- Provide your staff with basic ‘awareness’ training.
Retention & destruction of personal data
Document the types of personal data that you hold (and the purposes) and how long you will retain this data. This will provide you with a roadmap for data destruction. This does not need to be difficult, keep it brief, simple and appropriate to the nature of the organisation.
Consideration of these tips will go a long way to keep your organisation out of harm’s way and to demonstrate a reasonable level of positive action to comply with your obligations.
Was this page helpful? If so, tune in for the next piece where we will cover the management of data protection risk in more detail.