If you are currently looking at the new GDPR data protection law and wondering just where to start, you are not alone. Despite the looming onset date, which is now less than one month away, the majority of small to medium sized businesses in the UK do not even have a plan for compliance.
Let me remind you, just in case you’ve not noticed any of the press coverage, that the maximum fines for GDPR data breaches are the larger amount of 20 Million Euros, or 4% of your annual global turnover. If that doesn’t worry you, you must have nerves of steel.
If you are not sure where to start, here’s a suggestion: FIND YOUR DATA. If that sounds a bit obvious, start by asking yourself some questions:
Do you understand what “personal data” means?
Any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. This could be anything from a name and address, a telephone number, an i.p. number or any other identifier.
Does your company hold any personal data?
You might start by thinking about information you hold about your own staff and then think about clients, suppliers and any data you use for research, or for marketing and publicity purposes. Remember that this applies to data held on paper as well as in electronic form. Those old filing cabinets mouldering in your basement can’t just be forgotten about.
Why do you have the personal data?
If you don’t have a clear reason for holding personal data, then you should not be keeping it. You might have it for HR purposes, which could mean keeping it for many years. The same might be true for data relating to tax or other accounts issues. Data held for customers and suppliers will probably only be needed while the relationship is maintained. Data for marketing purposes might have a much shorter life. The key point here, for all these examples and for all personal data, is that you should not hold data for any longer than is necessary. We’ll be revisiting the question of the legal status of this data at length.
Once you know what personal data is and you’ve worked out why you have it, you should start to tackle to issue of location.
- Some of your data may be held in physical form, so you will need to sort through those filing cabinets and take a long, hard look at all of those old documents. Remember the point about keeping personal data no longer than necessary. You probably want to start shredding and disposing of a lot of that paperwork. Just make sure that you do so securely.
- It is very common nowadays for businesses to have data hosted externally in the cloud. Of course, what this really means is that the data is sitting on someone else’s server. You are going to have to find out who is hosting your data and where the server is located. Eventually, you are going to be checking that your service provider complies with the GDPR, which will almost certainly be the case. You will just be required to prove that you asked the right questions.
- The last piece, or perhaps several dozen pieces, of this data jigsaw is the data held on physical devices owned or used by your organisation. You might have servers (physical or virtual) NAS devices, external hard drives, USB devices, PCs, laptops, tablets and smartphones. All these devices can hold personal data and you will need to establish which of them do and which do not. You will then need to know what kind of data is held on these devices. This returns us to the point made earlier… the question of the legal status of this data.
If you’ve done all of the work outlined, you will have completed the first stage of your GDPR compliance journey. As Winston Churchill once said, "Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning." In other words, we’ve got a lot more to do and it isn’t going to be easy.
You don’t have to do this on your own.
Active IT can hold your hand on this journey.