Having high quality data about your customers, your target audience, your suppliers and your staff will drive business growth, if it is used effectively. Managing and controlling that data, and how it is used, presents a genuine challenge for any business.
That challenge increased in May 2018 with the introduction of the General Data Protection Regulation (GDPR), and now has become even more complex post-Brexit: for example, there is UK GDPR, but some will also need to consider EU GDPR and its impact on their operations.
Much of the focus around data protection has been on the fines that can be imposed if you do not comply. But there is also the reputational risk that goes with a data breach, as well as the risk that in extreme situations the Information Commissioner could impose a penalty that interrupts your day-to-day business operations.
Remember, the data protection legislation will apply to you if you:
- keep or use personal data about your stakeholders, whether that is your customers, staff, suppliers or other individuals
- have a website that collects personal data (eg via cookies, an enquiry form or subscribing to newsletters)
- transfer personal data from the UK (or EU, if based there) to countries other than the UK or EU – whether that is other companies within your Group, or other customers or suppliers overseas
- process personal data on behalf of another company (meaning that you are a data processor).
Fact finding, careful thinking, planning and operational implementation will all be needed. You can’t collect everything, keep it forever and worry about it later.
Key action points for you to consider include:
- Securing internal support from Board level down – you should have organisational commitment to compliance with the data protection legislation
- Understanding what information you hold about individuals within and outside of your organisation
- Designing your processes for compliance including drafting of notices and policies, conducting impact assessments, appointing a data protection officer etc.
- Addressing cybersecurity risks and threats and
- Training your staff.
How the Data Protection team at DMH Stallard can help
How much work you need to do to get your organisation GDPR compliant depends on a variety of factors such as how data rich a business you are, and how compliant you already are with the UK GDPR and the Data Protection Act 2018.
We will work with you to get you up to the required standard – agreeing a plan for key tasks to be delivered in accordance with set timescales.
To get you on the right track towards compliance we offer:
- A business-wide data audit document which will help you to understand the flows of data into and out of your organisation, allowing you to then focus on areas of highest risk
- A privacy statement which can be used to tell your staff, customers, suppliers etc. how you will use the data you hold about them
- A training session for your managers or staff delivered by one of our team introducing them to GDPR and considering how it might affect your business
- Consultancy services so that your Data Protection Officer or others within your organisation can get guidance from our team on areas specifically relevant to you (up to five hours of support included)
- A notification of breach form, allowing you to respond quickly to the Information Commissioner if there is a data breach
This fixed price package will give you the comfort that you are going to be well on your way towards data protection compliance.
There may be other support and advice you need depending on your business, including:
- Reviewing internal and external policies and procedures, including privacy policies, data breach response plans, data retention policies, data protection strategies, and binding corporate rules and helping you update these in line with the data protection legislation
- Reviewing and updating data protection clauses in your contracts with third parties (including contracts which you have in place with your suppliers and customers, as well as your employment contracts)
- supporting your Data Protection Officer (DPO) or other DPO service (if you fall within the requirements under the data protection legislation to appoint one).