GDPR – the practical application of data privacy processes in your business
In May 2018, the UK adopted GDPR. This is not new news but has caused mixed reactions from businesses throughout the country.
Simply put, it is all about protecting the privacy of the Data Subject. However, there is more to it now; it is more about accountability and record keeping and this really does make a difference to your daily business processes.
Some companies simply changed their Data Privacy Statement or Policy on their website to include extra elements; how to exercise your rights, how to complain, where and how the data is stored, the legal basis for holding/processing your data, whether it is shared with a third party etc. and thought the job was done. However, the point of accountability is to ensure there are full and transparent administration processes to back this up and that these are underpinned by accurate record keeping.
When inspecting the various requirements (oh boy, there are requirements), it requires a process to be implemented to support each element. For instance, do all the staff know about GDPR and how it affects their jobs? Do all staff have a clear path of action if someone wants to exercise their rights? Do staff know how to identify a data breach and what process is followed when one is reported or suspected? Are you able to track a request from start to end to ensure it is actioned within the timescale required by law? Do you maintain records of requests and breaches?
What is Personal Data?
Simply put, anything that can be used, directly or indirectly to identify a living human being. This can be name, email address, National Insurance Number, payroll number, identification number etc.
What is Sensitive Personal Data?
Anything that tells you something private about that person such as religion or philosophical beliefs, trade union membership, political opinions, racial or ethnic origin and data concerning health or sex life.
What data do we hold?
You may think that Personal Data is not retained in your organisation. However, in the daily running of a business, it is normal to retain data about staff to satisfy Employment Law obligations. For instance, health data for the purposes of managing absenteeism and payroll data for managing salaries. All personal data, whether sensitive or not, needs to be handled very carefully, on a need to know basis, stored correctly and for a defined period, and processed securely.
Identifying a data breach
Has someone seen something they shouldn’t?
Can the information they have seen, be used, either directly or indirectly, to identify another living human being (Data Subject)?
If the answer is yes, you have a breach.
The official description is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a plethora of GDPR information and advice online. By far the best source of support is the ICO. Their helplines and online chat facilities are excellent; they are more than happy to support businesses of all sizes with their compliance obligation queries.