There’s no dodging the issue: if you run a business, regardless as to whether it’s a vast multi-national or a simple sole trader operation, you need to comply with data protection regulations.
The GDPR (General Data Protection Regulations) was established in 2018, but there is evidently still confusion surrounding its requirements. This has been highlighted by recent high-profile failures to meet compliance regulations by British Airways and Marriott International, with these two companies alone facing combined fines of £38 million. To avoid fines of your own, the best approach is a proactive one.
What Brexit Means for Compliance
There has also been confusion surrounding the consequences of the UK’s imminent departure from the EU. As GDPR was brought in by the EU, and specifically refers to data held on EU citizens, it’s understandable to think that perhaps compliance won’t be necessary after the first of January 2021. However, the UK government has adopted a version of the regulations under our own Data Protection Act in preparation for Brexit, meaning that the same rules will still apply. Therefore, it’s essential for all UK businesses to ensure that they are continuing to meet GDPR regulations.
How to Achieve Compliance
The first step in meeting the GDPR requirements is to carry out a thorough risk assessment. In doing so, you should have a clearer picture of any vulnerabilities which may exist, and what measures might be needed to improve security. This should be repeated any time new systems, software or processes are introduced.
It’s a good idea to adopt a holistic approach to the security and privacy of customer data, so make staff training a priority. If everyone in your organisation is up to speed with the regulations, this should help minimise risk and even pay dividends in terms of speed of identifying any future threats.
Every employee should be aware of a customer’s legal right to access their personal information stored by your organisation (a Data Subject Access Request, or DSAR), and understand that this request may be made verbally as well as in writing, and to any member of staff. Some organisations will be required to appoint a designated Data Protection Officer, who should have extensive knowledge and additional training on the regulations.
Tips for Securing Data
If you have carried out a thorough risk assessment, you will already know that data isn’t just kept in your main databases. Thanks to the prevalence of APIs (Application Programming Interfaces), data is often backed up to the cloud, held on employee devices, and contained in email communications, and this can put it at significant risk of hacking. The answer is not to prevent sharing data across applications, but to implement rigorous authentication protocols. Use of API keys is a good first step, and align access with your other strategies for data protection.
Be mindful of any third party organisations that you may work with, and ask them how they implement data security. If their protection is insufficient, it may put your own customers’ safety at risk, too.
Create systems that allow DSAR to be fulfilled with all data held across all areas of your organisation. A manual approach is not likely to be sufficient, particularly if multiple requests are made. Following on from this, it’s important to have a robust system in place for effectively deleting customer information.
Ultimately, data protection is the responsibility of every employee, and it’s vital to promote awareness throughout your organisation. It’s an ongoing commitment, so be sure to run frequent risk assessments, and ensure documentation of your compliance measures is maintained. It’s crucial that you keep a focus on your data management architecture, as this will play the greatest part in ensuring that data remains protected. By making data protection an ongoing priority, it becomes a far more manageable task.