**Collaborative Post**
If you run a business you are probably already aware of the Data Protection Act. But did you know that in 2018 the "Data Protection Act 1998" was replaced with "Data Protection Act 2018" which now incorporates GDPR (General Data Protection Regulation). This means that almost all businesses need to review how they hold things like sensitive data and ensure it complies with the new law, GDPR compliance is very important.
While GDPR is an EU regulation that no longer applies to the UK, the provisions of GDPR have been incorporated into UK law as the UK GDPR. The regulation applies to any business that processes personal data. Ensuring you are following UK GDPR is an important aspect of any business and this post will aim to help you understand how your business can ensure it stays UK GDPR compliant.
Keep Privacy Notices up to Date
Whilst it is good practice for all businesses to review and update their privacy notices and policies regularly, it is important you check that they now cover everything that is needed under the new UK GDPR rules. This includes stating how and why you are legally allowed to process personal information, how long you will be keeping hold of their information and you also need to let people know that they have a right to request their data be deleted at any time, it is their right to do so.
You will also need to include information in your privacy policy about how they can make a complaint if they believe you are miss holding their information or that their sensitive information is at risk or unsafe. People need to be able to opt in, rather than opt oi
Staff Training or Hiring Help
One of the best ways to ensure your business is up together and totally compliant is to hire an expert who can come in and help check everything for you. By hiring GDPR consultants they can offer a number of ways in which they might be able to help including running data protection impact assessments, virtual DPO service, conducting gap analysis, and remediation support. Not only this but they can also offer training and support to everyone involved in the business to ensure everyone understands the basics and their own role in ensuring the business stays compliant.
Training is particularly important for any employees handling/storing sensitive information or those working in an administrative role.
Are you a Data Controller or Data Processor
One thing it is important to know when looking at GDPR is whether you and your business are a data controllers or data processors as each is regulated differently under GDPR.
Data Controllers - This can be any business that asks customers for their information such as telephone numbers, email addresses, or other types or personal information. This is especially true is you retain this information and then use it for marketing purposes such as sending out newsletters and offers Data controllers dictate how and why personal information is processed and stored
Data Processor - Unlike a controller who gathers personal information, a data processor is typically a person or business that keeps hold of the personal information of a data controller. They usually collect, analyse and extract information from data, a good example of this might be an email subscription service which a business might use to send out newsletters, etc.
The ICO has outlined 6 lawful bases for collecting customer/client information, these include Consent, Contract, Legal obligation, Vital interests, Public task, and Legitimate Interests. Depending on whether you are a controller or processor you will need to ensure you are compliant with the rules that are relevant to you.
Please remember the above is just my personal opinion and advice and is in no way legal advice. If you are worried or confused about whether your business is compliant with the latest GDPR policies the best thing to do is seek proper legal advice. Doing this sooner rather than later will help ensure you can run your business without worry of repercussions from not being compliant.
No comments:
Post a Comment