As the deadline for the new General Data Protection Regulation (GDPR) fast approaches, many businesses are racing to ensure they are compliant with the new EU regulation.
Lorna Bolton, the associate director of commercial at business advisory firm Greenaway Scott, outlines the hidden issues that could catch you out.
Working with third-party contractors
Many businesses may rely on the services of a third-party contractor or supplier in order to successfully carry out their daily operations. Everyone from builders recruiting additional workers or specialist companies to complete a project, to media companies utilising the skills of an external photographer, all use contractors routinely.
However, the implementation of GDPR will alter how companies share personal client, or professional data, with outside sources. Many contractors may process personal client data for a business, or handle it as part of a project, in which case, they too must be compliant with GDPR.
After 25th May companies hiring third-party contractors must ensure they have a contract in place, which states that parties are compliant with the regulation, and are aware of their responsibilities. Contractors or suppliers must be able to provide sufficient guarantees that they are meeting the GDPR requirements.
Shared company passwords
Many companies and individuals may rely on the same password to safeguard all their computers and secure data. This is a common mistake, with many people choosing a familiar word due to its simplicity, or numerous staff members using the same combination to safeguard sensitive client data in a shared office space.
Under GDPR shared passwords could be viewed critically as it could be interpreted as businesses not adequately acting to protect personal data. The regulation states that anyone collecting personal data must be responsible and accountable for all that information. Businesses are more likely to handle a greater volume of data and therefore must ensure they have stringent controls in place to secure this.
Failure to adequately secure private data could lead to a fine of up to 20 million euros, or 4% of the annual turnover, in the event that a company is hacked or information is breached.
The definition of a data breach has been widened under the new regulation. Not only can a breach occur intentionally, when a company is hacked or information is leaked, under GDPR this can also result from human error. GDPR defines a data breach as the loss, unauthorised disclosure, accidental or unlawful destruction of information, which is processed, transmitted or stored, either electronically or on paper.
This means that accidentally exposing highly sensitive personal data, such as medical records, to the public could lead to a severe risk for the company. Putting thorough guidelines in place to help staff recognise and report a data breach is vital to ensure the information is secured as quickly as possible. Under the regulation, a breach should be reported to the Information Commissioner’s Office immediately after becoming aware and in any event within 72 hours.
Data Protection Officer
Some larger companies handle a significant volume of personal and sensitive data on a daily basis. Companies including banks, insurance companies, and shops are all trusted with vast amounts of financial and personal details which they are responsible for processing and securing.
But how can these businesses ensure they are compliant when the GDPR deadline arrives? They will need to appoint an independent Data Protection Officer (DPO) to monitor internal compliance, inform and advise on data protection obligations, and act as a contact point.
Appointing a DPO helps to demonstrate a company’s commitment to fully complying with the incoming regulation. Although it is advised that DPO’s are utilised in supporting large-scale businesses, there is no official definition of what size a company should be.
Therefore it is advisable that any company that handles a significant number of accounts, clients, or frequently handles personal information should explore this option. It is recommended for companies with over 250 staff.
When a new staff member has been appointed businesses often file away any unsuccessful applications and CVs without much consideration. However, following the introduction of GDPR, businesses now have a responsibility to ensure these personal details are adequately protected and not retained longer than necessary.
Prospective employers must only request personal data which is appropriate to the vacancy and inform applicants how long they intend to keep it on file. Equally, if an applicant requests this not be kept on file, employers must ensure it is not.
Our BQ Bulletin emails will land in your inbox at 7.30am, Monday to Friday, with a mix of the latest local business news, national news, and features to inspire you. Sign up here!
Click here to read our privacy statement