Not quite sure what GDPR is?
The European Union’s General Data Protection Regulation (GDPR) replaces the current Data Protection Act.
It will give people greater control over their data and regulate what companies can do with it, unify the data protection rules across the EU and also introduce greater fines for non-compliance. It encompasses “the right to be forgotten” and brings in stronger consumer consent and access regulations, as well as 72-hour breach reporting.
I'm not in the EU. Does it affect me?
"Not in the EU, not my problem?” Actually yes, it is. If you or your company deal with anyone in the EU you have to comply with these rules. If you have a web presence or market your products over the web, you’ll need to know about it.
The extended jurisdiction of the GDPR brings one of the biggest changes to the data privacy regulatory landscape:
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Most companies worldwide will need to conform, regardless of their own country’s legislation.
Whether you’re an employer, an employee or a one-person business, you need to know about GDPR. If you’re not sure how this will affect your business you can seek guidance from a GDPR consultant.
So how long do you have to prepare?
GDPR comes into effect on 25 May 2018 which is not that far away, so Let's Get Prepared!
The more data you handle on a day-to-day basis and the higher up you are in the company the more crucial it is to act according to the new rules, especially if you are an employer.
In the unfortunate event that you are audited for GDPR compliance, any key role holders in the organisation will be scrutinised.
Below are some key points to ensure the correct measures are taken, and there are further resources below. What you need to do will depend on your role. As a one-person business you need to make sure you’re compliant. As an employer, it’s your responsibility to make sure both you and your employees are complying. As an employee, you don't want to be held accountable for a failed investigation.
Make sure you need the data and have permission
It’s important that you don’t access any data you don't require or have permission to access. The main reason for this is to reduce the amount of risk that is being taken with people’s information.
As an employer, you should restrict data according to each person’s role and data access requirements. The fewer people accessing the information the lesser the risk - each person is a point of risk.
If you do have reason to access data, the next question you need to ask yourself is:
“Do you need to collect or retain the data by downloading it or writing it down?”
If the answer is no - DON'T
By storing the data you’re adding to the trail, increasing the risk of compromised data and the amount of time it will take to completely clear someone's data upon request. Any data which is retained without a clear reason will be scrutinised.
Any data you do store should be agreed within the organisation so it can keep track of data held and be able to provide the information on this if requested.
As an employee you should make sure you have a discussion with your employer about what data you need to access and store, to allow them to put in measures to keep it secure.
As an employer, you should discuss what information you are granting people access to with a GDPR consultant so they can assess if you have a real need to access the data in the first place.
As an employee you may have access to sensitive data so it’s important that you keep up to date with GDPR rules and regulations and you should seek GDPR training from your organisation. This can either be done as an online course or by a GDPR consultant.
Employers should be offering this training. This is key to the compliance of the business.
Training should be refreshed at a minimum every year. In some organisations, it will be the employees’ responsibility to ensure they stay up to date, but employers should check staff are trained appropriately as it will affect business if you are audited.
Training is, of course, optional but it would be seen as negligent to not train.
I’d strongly recommended employees seek GDPR guidance materials - in essence a GDPR handbook. Employers should be able to provide this via a GDPR consultant and there are also plenty of resources online (see below).
In today’s digital world we all have too many passwords to remember so the temptation is to start making them easier to recall - 123456789 - or all the same.
Any responsible employee would avoid doing this.
Default passwords should always be changed on receipt and made strong. Make sure your password is at least 8 characters long using a mixture of upper and lowercase letters, numbers and special characters - at least one of each. And of course, all your passwords should be different and share as little similarity as possible.
Where possible, and in all cases where sensitive information is, enable two-factor authentication to increase security. This will vary on a device and application basis. It’s important you do this for any device or account that is used in association with your organisation.
Realistically, it’s not easy to remember all these passwords so you could use a password manager like LastPass or Zoho Vault. However, for best practice try not to store your passwords where possible.
As an employer it’s hard to keep track of employee passwords, so best practice is to ensure there are rules in place that don’t allow weak passwords on your systems.
Secure your devices
All devices used in conjunction with your work should be secured. If you use it for work SECURE IT! This includes phones, USB’s, laptops and any other form of digital storage. The best way to do this is to encrypt the devices.
Encryption comes in various strengths of security. The stronger the encryption the more it will cost, so you should select the encryption which best matches your level of risk and budget. Speak to your employer or GDPR consultant for the best options.
Employers should ensure that any devices used by employees in conjunction with their work are checked by an IT specialist to ensure security.
Remember, GDPR applies not just to electronic, but also to paper records. These should be stored in a safe location and locked where appropriate.
In my opinion, the most important thing to secure and encrypt is emails. These store lots of personal data and are normally the first place you will be compromised.
Make sure that you use reliable email providers and encrypt the email where personal information is involved.
Employers should ensure employees archive emails carefully so that in the event the company is required to delete information related to a person, it is easy to locate and remove.
End of life data
Once data is no longer required or relevant GET RID OF IT!
Just because you have deleted something from a memory stick don’t mean it has gone. In fact, it can remain on the device for a period of time until something replaces it. You may need technical support to learn how to safely discard data.
Paper records should be destroyed using professional shredding services, especially where data is highly sensitive.
Employers should agree with clients how long their data is to be stored and in what case it is to be removed, and ensure measures are in place to abide by these agreements.
By getting rid of the data you’re avoiding using the data without permission and putting the person whose data it is at risk.
Special category data
If you handle highly sensitive data you should take maximum care. Special category data, as it is known, includes:
- Ethnic origin
- Trade union membership
- Biometrics (where used for ID purposes)
- Sex life
- Sexual orientation
If you handle any of this information inform your employer you are doing so - if they are not aware already. As an employer, you should make your GDPR consultant aware so they ensure you abide by the stricter rules for handling such data and reduce any potential risk.
As an employee you will eventually leave your current organisation. At this point you should remove anything related to the organisation that you aren't contractually obliged to keep hold of.
It’s important that employers include this in employment contracts and follow up. However, if an agreement isn't in place from your employer you should delete the data anyway to cover yourself.
This article is only to be used as a reference and not as legal guidance for GDPR. Employees should directly consult their place of employment for policies and procedures.
If you’re unsure about anything, speak to your employer. In any organisation, you play a key role in making sure they comply with the GDPR Guidelines.
Guidance and resources can also be found on the UK Information Commissioner's website:
Preparing for GDPR - 12 steps