The new General Data Protection Regulations are getting a lot of people very panicked at the moment. But it’s not a nightmare, there are some simple steps you can take to understand what you need to do.
- What personal data do you hold? Email addresses, names, addresses, National Insurance numbers, that kind of thing
- Where do you hold it? Spreadsheets, databases? Cloud-hosted apps?
- If it’s a cloud-hosted app, where is the data stored (you’ll need to contact the company). Are they compliant with GDPR (again you’ll need to ask).
- What do you do with that data? How do you process it? Can you explain it in simple language to your customers?
- What is your (written down) procedure for dealing with data-access requests? If someone wants to know what data you hold about them, how do you respond?
- Do you have consent for the data you already hold? If not, what is your plan for getting that consent (you don’t need to do it immediately but you do need to show that you are doing it)?
- How are you getting consent for holding personal information on future prospects and customers? What do your data-protection notices look like? Consent needs to be explicit.
- What is your (written down) plan for dealing with data breaches. You will get hacked at some point. Make sure you know how you will deal with it.
Take Action: Block out an hour in your diary and start with step 1