Three things you need to know for the GDPR
If your business holds personal information, whether on your customers or employees, you cannot afford to ignore the GDPR. Here are some key pointers on how to prepare for compliance.
In May of this year the largest shake up of Data Protection legislation for a generation will happen. After much fanfare, the General Data Protection Regulation (GDPR) will finally come into force when the Data Protection Bill is enacted.
Here are three things that you should do now to prepare:
- Conduct a data audit:
You need to look carefully at your business to see what sort of data you hold on people and why. The GDPR is all about justifying why you hold data and being transparent about what you do hold. You cannot do this unless you know as a business:
- What data you hold
- What data do you collect and why?
- Where is it held?
- By whom?
When you have done so you then need to consider whether you do need to hold it or not. Employers in particular need to give this very careful consideration.
2. Review your Contract of Employment and Staff Handbooks, particularly in relation to data protection policies.
You need to justify why you are holding information and the best way to do that is to have a policy set out in your Staff Handbook which explains what you hold, why and in what circumstances you will retain it. You will also need to make all staff aware of the GDPR and the considerations for them as employees.
3. Consider how you work with third parties – this will become a legal requirement
If as a business you are sending out either employee information or data on customers to a third party, such as payroll providers, pension companies and Occupational Health Services. you need to enter into a written Agreement with your data processor.
This will become a legal requirement and when you have done your data audit you should be in a better position to know whether there are any third parties to whom you send information. For instance, this would include
Much has been said about the swingeing fines that can potentially be under the GDPR. It is probably only the grossest of breaches by the largest of companies that will fall foul of the massive fines that are threatened, but small businesses should not be complacent.
The time to act is now and if you need help please get in contact.