We were shocked when we stumbled on an article this week which highlighted that it’s now been three years since GDPR came into force. You probably remember those heady days of 2018, rushing around to ensure that the data that you held on customers and prospects were up to scratch ahead of the deadline as per the latest regulation.
Since then, there have been relatively few enforcements that have led to monetary penalties – at least fewer than was expected in the run-up to the deadline.
However, now we are a little way down the road it makes sense to review your compliance again. Make sure you’re up to scratch and don’t end up with any nasty surprises coming through the door from the ICO.
The first step to consider is mapping out where your data is. This will be anywhere that you are holding personal details or clients, prospects, staff and so on. Think about your email and IT systems, and CRM software that you use, email marketing tools. Anywhere that has identifying information of an individual you will want to make sure is recorded and mapped out. Knowing where everything is will make the next steps easier.
Once you’ve collected together where the data is, now it’s time to think about the data that you need. There are many different types of personal data that you might be collecting – but you should only really store the information that you absolutely need. Names, telephone numbers, email addresses and postal addresses make sense to most businesses. It’s unlikely that you would need, for example, a client’s date of birth unless it relates to a specific service.
To get compliant with GDPR you will need to think about the privacy rules you put in place for your business. You will need to make sure it’s documented and shared with all of your staff. You’ll also need to think about who can access data and make sure that only people that need to access certain information can do so. Appropriate access to appropriate access should also form part of your thoughts for governing the data you hold.
There are a couple of ways that you can think about protecting the data in your care to ensure GDPR compliance. Encryption, pseudonymization and anonymization and you should use the appropriate technique based on the context of the information you are holding. Encryption will mean the data can’t be accessed without a password. Pseudonymization means no names are reveals. Think about using initials in meeting minutes, for example. Anonymization takes out all identifying information in the data.
The final step is putting in place a good audit process. Periodically, you should be reviewing the first four steps. You should be able to produce a report to show regulators that you know what the information you hold is and how it is used. You can show you have taken steps to ensure consent to handle the data. Make sure you have appropriate steps in place to deal with data breaches should they occur.
A good first step to consider is Cyber Essentials certification for your business. This is evidence that you have taken steps towards protecting your business and your data from internet-based cyber-attacks.
If you are looking to learn more about GDPR and how WebbyTech can help – including implementing DLP (Data Loss Prevention) solutions to help prevent data breaches, don’t hesitate to get in touch today.