General DataProtection Regulation (GDPR) came into force on 25 May 2018 to protect how EU residents’ personal data is protected. Although it was passed in Europe, it can apply to businesses around the world if they target or collect data from people within the European Union. The law aims to give citizens more control of their data and simplify regulations for business owners.
Since the UK has now left the EU and the transition period ended on 31 December 2020, the EUGDPR no longer applies to those operating solely within the UK. However, the provisions (now known as UK GDPR) have been directly incorporated into the DataProtection Act 2018. In practice, there is very little change to the core principles, rights and business obligations.
The DataProtection Act 2018 and UK GDPR applies to any business established in the UK.If your business collects personal and sensitive data from customers, employees and suppliers then you need to ensure you are compliant.
GDPR policy is the strictest privacy and security law in the world and contains hundreds of pages. In order for your business to be compliant and avoid a fine, you have to take into consideration multiple key points, To make it simpler we’ve taken the key takeaways from the policy to help you make sure your business is compliant.
Know your data
Be aware of the different types of data that you manage and the different ways in which you collect. You could do this by undertaking a data audit but make sure you include all business pillars of your organisation.Cover all bases! Types of data include names, addresses, bank details, IP addresses plus sensitive data such as health records.
Make sure your policy is clear and specific in its detail. People need to be informed of what you will be doing with their data and your privacy policies are where that information should be found. Regularly look into the latest changes in law so these can be reflected in your policy.
Review your contracts
Even existing contracts need to reflect UK GDPR rules so review those with your customers, employees and suppliers. All contracts should be written to reflect your industry and the compliance needs that come with it.
Make sure you have a consent process
If you have cases where you ask users for their data consent, ensure you have a process in place to follow that through. Remember, you can only use the data for the purposes that you laid out when requesting consent. You should also have options for users to easily withdraw consent. Consent should put individuals in control, build trust and engagement, and enhance your reputation.
Use age verification
If you know that a lot of your client base is under age, consider setting up a parental authorisation process. You can implement several age verification methods to make sure you are managing this lawfully.
Many businesses may be exempt from legally needing to assign aData Protection Officer however it may be wise to implement one regardless.It’s certainly necessary to assign an employee with the responsibility for data and privacy matters. If you have over 250 employees or your company’s core activities involve regular monitoring of data subjects on a large scale, or involve processing large volumes of sensitive data then you must hire a DPO. For more information check out the ICO small business hub.
Manage access requests
All data subjects have a right to access their personal data you hold at any time. Under UK GDPR law your business will have 30 days to respond to the request. It is pivotal that you have plans in place to be able to respond to such a request. Create forms and digitise where you can to quicken this process.
Perfect your security
An important way to ensure you are UK GDPR compliant is to look at your security measures. Every system that needs a password should have one and review access rights on a ‘must have’ basis. Alongside this, make sure you have strong security over your systems and do your due diligence on your suppliers also. Especially those providing your payment systems.
Prepare for data breaches
It is fundamental that your business deals with data breaches well. Have a reporting system in place to report any breaches within 72 hours of becoming aware of the risk. Train your staff in GDPR and security matters and ensure they know what to do in the case of a breach.
Check your Supervisory Authority
If your business operates in multiple EU countries, you should be assigned a Supervisory Authority. The UK’s SA is The Information Commissioner'sOffice (ICO) and are responsible for promoting and enforcing the legislation, as well as providing advice and guidance to organisations and individuals.
By following this checklist, you should have a greater understanding of how to make your business UK GDPR compliant for 2021.