Additional elements such as fair processing/privacy notices must be updated. These must clearly communicate to clients how and why their data is processed and demonstrate that their privacy and security is taken seriously.
Key articles to look out for in the legislation:
- Article 25: Data Protection by design and default
- Article 33: Requirement to report within 72 hours of detecting the breach
- Article 83: Maximum fines to be the higher of €20m or 4 per cent of total worldwide turnover.
2. What do I do with all my paper records?
The paperless office is not a new concept and, while digital communication is often preferred for shorter correspondence, many people are happier reading and absorbing lengthier content in print.
As a first step, it would be sensible to delve into the entire filing system and identify how many copies of each paper document you have and if you still really need them.
Identify any records that have no lawful reason for being kept beyond, say, FCA or Inland Revenue prescribed retention periods and securely destroy them. GDPR is an excellent opportunity to de-clutter.
The biggest threat to even the most secure physical information storage is the duplication of data on other devices such as printers and photocopiers, and human error is also a major factor.
Untrained human handling of documents can result in a complete lack of control and thus expose you to data breaches.
Once the entire filing system is cleansed, it is important to follow a robust process, which could include:
- Implementing a clear filing and identification system.
- Designing and installing a secure lock-up and keyholder procedure.
- Communicating to all staff ensuring that each person clearly understands the degree of accountability they hold for keeping data secure.
3. Does my software make me GDPR compliant?
Claiming compliance is not sufficient in itself; Article 24 requires you to demonstrate compliance with GDPR.
All firms must ensure the software they are using is compliant – they must proactively review all the software being used within the business which are likely to affect the data rights of their clients.
Make a list of everything that is used and then against each one make a list of how much data is held, how it is stored and ask, is it relevant?
One of the key elements of the forthcoming legislation is that it imposes much stricter data management obligations in a sense that there are direct obligations on “processors” and not just “controllers” of data.
A well-drafted data processing agreement, including the ability to audit the processing of the data you control, is crucial.
Relevant certification/s such as ISO27001, which guarantees that the processor meets rigorous industry standards with regards to the Information Security Management System, will certainly provide comfort.
But don't be tempted to send long questionnaires to your clients and suppliers asking for every detail of their processing. It just makes extra work (and time is short) and data protection itself means that there are details that they simply can't give you.
4. Will I really be fined £17m if there’s a breach?
