Our partner, Astrid Data Protection, looks at what you need to do to remain compliant with GDPR now and in the future…
It’s nearly 18 months since the General Data Protection Regulation came into force. Understanding the risks of non-compliance, most of us scrambled back in 2018 to put systems and processes in place to comply with the law and protect the personal data we held. But how do you ensure that you are still compliant with GDPR and will be in the future?
With businesses subject to continual change, it will come as no surprise that to remain compliant with GDPR and other data protection law requires work. Astrid looks at the key areas that you need to review and update regularly:
– Have you paid this year’s data protection fee?
Every organisation or sole trader who processes personal information is required to pay a data protection fee to the ICO (unless they are exempt under specific circumstances). This is an annual fee which, if you pay by direct debit, will be collected automatically and after each payment you will receive a certificate. If your fee is paid by any other method, you need to ensure that you have mechanisms in place to pay on time each year.
– Are your team up to speed?
Under GDPR, you are required to provide staff with regular data protection training. This isn’t just about meeting your requirements though – five out of six breaches reported to the ICO last year were caused by human error. Your staff could be your strongest defence or your weakest link depending on their training.
New staff should receive training soon after they join your company and existing staff should receive refresher training at least annually. You should keep a log of all staff training carried out in case it’s needed to defend against a complaint or legal claim.
– Have you had any IT changes?
If your IT systems are breached, it can lead to a loss of data and even stop you doing business. Keeping track of your IT equipment will help to minimise this risk. Have you made any changes to your systems or equipment? Carrying out regularly reviews will help ensure that the equipment you use and how you use it doesn’t compromise data protection.
– Are you processing any new data?
For new data processes and any changes to existing ones, you need to complete a data processing impact assessment (DPIA) to identify how your activities might impact on the people whose data you’re using. Without a DPIA, you can’t be sure you’re in control of the personal data your business uses.
– Do you still have consent?
If you are processing data under the lawful basis of consent you need to ensure that you have a clear record of that consent. You need to review whether the consent remains ‘fresh’ and that you continue to process personal data in line with that consent. Where consent has been removed or is outdated, data records must be destroyed or eradicated.
– Have you got rid of out-of-date personal data?
You are only allowed to keep personal data for as long as necessary to achieve the purpose for which it was collected. As soon as you no longer need the data for a legitimate purpose, you should delete it. How long you keep it will vary depending on the type of data, but it’s important to make sure you’re not holding on to information that you shouldn’t have.
– Is your privacy notice up to date?
Astrid provides a secure online platform that shows you what you need to do and gives you the support you need to become and remain compliant. Every stage of the process is broken into practical, manageable steps and includes downloadable tools and clear guidance. Our online training videos ensure your staff understand their responsibilities and records who has completed their training. Designed to be affordable for all small businesses, Astrid ensures that any sized business can comply with GDPR now and in the future.
Not sure whether you are compliant?
Despite all good intentions, some people are still not up to speed with GDPR compliance. Why not check how far you still have to go? Astrid offers a free compliance check – just create an account, go through to stage 1 of our process and take the quick GDPR test.
Join our 5-day GDPR email mini-course to get a daily dose of best practises and tips for complying with GDPR.