Kidwells Solicitors practice director Rebecca Hardy spoke to delegates about the General Data Protection Regulation (GDPR) at the recent GIMA conference helping them to makes sense of the new legislation and start taking the right steps for their business.

hen I first hear d about GDPR, I was

like a stroppy

teenager because of all implications but I am now a big fan of the regulation. I want my data kept safe and so should other people. Cyber crime is the fastest growing

area of crime at the moment. The law hasn’t moved as quickly as technology has. People need to understand the risks of cybercrime, or an attack and what having up to date anti-virus software can do.

If you don’t have an IT provider or in-house team, then speak to someone who knows what they are talking about. Training for your staff on how to keep data safe is also absolutely essential. They need to understand what personal data is. You need to realise that, regardless of what happens in Brexit, we will still be subject to these regulations. The regulations apply to controllers and operators in the UK regardless of where processing takes place. As a business, there are lots of

things you need to consider – for example, if you don’t back up your data and you have a breach this afternoon, how are you going to recover your data?

If you haven’t started working on this or if you have, look at

the technical scope of all aspects. Make sure there are no open pores for a breach or someone to access your data. When there’s a breach, no matter how big or little, you have to report it to the Information Commissioner’s Office (ICO) and they will come into your business and look at the system you have in place.

What is personal data? Personal data means any information relating to an individual or identifiable natural person. A data subject who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, photo, email address, or bank details If you only deal with B2B, fine but you still need to make sure your employees’ records and data is all protected. You also need to look at your Mailchimp and database. There are simple steps you can take like even just making sure there is a lock on your filing cabinet. Or, if everything is online, then you can encrypt data, back it up, have virus software, etc. If you have it all hard copy in the

office but don’t have a lock on the door or filing cabinet, anyone has the opportunity to access that data. You should have clear desk policies, and, if a computer is left on, then it needs to be locked.


We asked our readers: Do you know enough about the General Data Protection Regulation (GDPR) and what your business needs to do to comply?

I have no idea what GDPR is or what it means for my business – 24%

I know a little but need more support and advice on how to comply – 19%

I have been learning about this and putting measures in place ahead of the May 25 deadline – 30%

Yes, my business is already fully compliant – 27%

10 DIY WEEK 01 JUNE 2018

Consent is key You also need to be sure that you have the legal grounds to process that data. When it comes to mailing lists, you need to email individuals and ask consent for you to use their data. Yes, there may be people who don’t respond giving consent and you may lose some people off your database but I doubt many of you have looked at your database recently.

How many of you have cleaned up

your database in the past fiive or 10 years? Use this as an exercise to tidy up your database.

Go away and look at what data you hold and if you have legitimate consent to hold that data. Also note that you are a data controller of your staff. You control that data. If you provide the data you hold to a third party, i.e a delivery courier, they become a processor. You are liable for what they do with that data. If a delivery driver leaves an address label on display on a van dashboard and someone sees and reports that to the ICO, you can also be held accountable. You need to make sure that your terms and conditions with your processors make it clear that you and the processor are equally

liable for any breach. You can update those T&Cs to say that if they don’t keep that data safe, they are liable. Remember that web and IT providers are all processors. You have to make sure that everyone is compliant with your policies. It is not enough to just put it

in company manuals and hope people read it.

Steps to becoming GDPR compliant

The ICO wants to work with organisations and will be more lenient on you if you show that you have policies in place to combat these things.

Get in place: 1.Privacy standard Policy 2.Information Security Policy 3.Data Subject Request Procedure 4.Website Privacy Policy (cookies) 5.Business Continuity Plan 6.Risk register

7.Privacy notice for employees 8.Privacy Notice for data subjects

Complete: Data and consent register

Update: •Third party T&Cs •Service Agreements

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36