- Created: Tuesday, 06 April 2021
- Written by Tim Nicholls
GDPR and the Data Protection Act? That’s for the big kids isn’t it? They’re not going to come after my business?
Actually the Information Commissioner's Office does, as a small shop in Aldermaston found out. One day their website got hacked and their customer details were stolen.
The ICO investigated the case and decided that they hadn’t taken sufficient steps to secure their customer’s information and imposed a fine of £60,000, a sum that could be ruinous to many small businesses.
Don’t let that happen to you, being compliant means staying compliant, making sure your security, policies, practices and procedures remain effective. As your business grows or changes you may have to review and change those policies, practices and procedures
- Have you introduced new software? Where does it store its data? Does it meet the requirement in the DPA to protect against unauthorised or unlawful processing - that new HR package - is access really restricted to members of the HR department?
- Have you vetted any new supplier's compliance?
- Check your consent practices and your existing consents. If you decide to use personal data previously collected for a new purpose, you will need to seek permission from the data subjects.
- Is your Data Retention policy still fit for purpose? - are you now collecting any new types of data that you weren't previously? Are you holding on to data longer than necessary? E.g. Employee insurance information should only be held for 3 years, Payslips for 5 years if you are a sole trader/partner, 6 years for companies
- New employees - does your onboarding process cover the various different types of data you collect and what you have consent to use it for.
- E-discovery - how easy is it to find relevant data? Data subjects have the right to request information about them, and have incorrect data amended. How easy is it to find and update information across your systems?
- Have you set up new devices, laptops and PCs securely? Do those devices have encrypted drives? Have you enabled two-factor authentication on new apps etc?
- Have you moved your website hosting to a new provider? Does the supplier enforce proper security and protection for your data?
- If you haven’t already achieved the UK Government’s Cyber Essentials certification, ask us to take you through the process.