Its not even spring anymore and yet I am enjoying a proper spring clean.
I have written in my last few blogs about The General Data Protection Regulations (GDPR) coming to get they are coming. Well now that they are here, I had forgotten the that as well as all the work that we business owners have to do to comply, we do get the satisfaction of watching all of those companies that bombarded us with emails and lists of “10 things you need to know about…” stuff just because we foolishly gave our email address to, in order to see 10 other things we didn’t know about…” are now sending emails pleading with us tick the box to allow them to keep sending us stuff because they can’t without our permission. I feel electronically lighter already.
So, hopefully one of the last times, what is it and how will affect all of us.
The aim of (GDPR) is to bring data protection standards up-to-date, to ensure that individuals in the EU are appropriately protected from privacy and data breaches. Businesses that process personal data of individuals in the EU, including all ground transport firms, will have to comply. It is important to remember that this will continue to be the case for UK based businesses post-Brexit.
GDPR covers various types of personal data, such as personal data held about clients, Personal data held for marketing purposes, Internal and external emails, and other types of electronic communication.
For small to medium businesses, if you have an employee handbook, then you need some basic security policies. You will need to be shown to screen; candidates for employment and sub-contractors (we call them drivers) to undergo verification relating to their access to personal data. You will have to have security awareness training for any staff f who process personal data. There will have to be a disciplinary process for employees who have committed a security breach. Also, when staff go all assets including devices, media and data should be returned and access rights revoked or updated, such as phones or iPad etc. You will need to look at access control to your computer systems and data devices with strong passwords.
Are you compliant?
Whoever you are from sole trader to big company if you hold other people’s data, you should have started to ensure compliance with GDPR. Get started as soon as possible, because the road to compliance could take you some time. You must have knowledge of the data you hold and process. This includes differentiating between personal data, client-related data and employee-related data, and how it is captured. One way to do this is to fully document the information held across the business and work out where it originated, where and how it is stored, how it is processed and who it is shared with, for example. This includes data such as contact details or business bank account information.
Businesses should be able to manage their data appropriately, meaning that they can easily erase data completely from all systems and back-ups in line with the right to be forgotten, supply the details of data held on request, understand how the data is being used, and know an individual’s rights over their data.
As Thomson Reuters data guru, Ian Cooper says.
“You should update your procedures relating to the detection and reporting of breaches in line with the ICO’s mantra of ‘tell it all, tell it fast, tell the truth’. In addition, you may be required to perform a Data Privacy Impact Assessment (DPIA). Best practice is to conduct a full DPIA on high risk processing activities. For example, when a processing activity could result in a high risk of your clients’ data being breached”.
So, in conclusion GDPR means; know what data you have, be able to manage it appropriately. Make sure that you can and do erase old data. Be able to supply details on request and know yours and your staff, clients and driver’s rights to their own data. Look at your processes to protect the data from attack, by reviewing your cyber protection and be business like about the way you approach it. Start by asking your despatch software and other suppliers what they are doing about GDPR and then look at your obligations. If in doubt start by asking your accountant!