The General Data Protection Regulation (GDPR), is fast becoming a talking point in small firms everywhere – but there’s growing bewilderment over how to comply with it. Expert articles tell us all about its huge scope and colossal fines, but they don’t explain how to put its principles into practice. How do small firms apply a GDPR project?
As a lawyer and Data Protection Officer for a US Fortune 500 company, I have experience of what works and what doesn’t. Here are some top tips on how to make compliance work for your company.
Meet the DPO
Under GDPR you have to appoint a Data Protection Officer (DPO) if:
- You are a public body, or
- You carry out monitoring of individuals on a large scale, or
- Your ‘core activities’ consist of large scale processing of special categories of data.
It is important to remember that you will be in breach of GDPR if you do not appoint a DPO when you are supposed to.
Know your risks
In the digital world, companies are processing more personal data than ever before. To get organised for GDPR you must figure out where your data is and where it goes. You’ll need to kick your GDPR project off with a data audit. Give your departments a questionnaire on how the firm’s data is processed and hold follow-up meetings with them to fully understand how that data is processed.
You’ll also need to draw a map of your data, who it’s shared with and where it is being sent, to help you understand the risks your company faces. For example, if you’re a marketing company sending personal data to a payroll provider company you will want to know where your data is going and if the payroll provider is sharing it with anyone else. A data map will help you understand the risks and take effective action.
Train your staff
Educating staff about their new responsibilities is crucial. Your staff are your front-line of your business, but they can often be the weakest link – research shows that staff error is a leading cause of data breaches.
My tips for training are:
- Deliver basic data protection training to all staff;
- Work out who needs further face-to-face training: e.g. your accounts department, HR etc,
- Make it engaging and relevant with lots of examples of how it impacts their everyday life and their job; and
- Record all training you carry out – it will be useful if a regulator ever comes knocking.
Make those policies real
GDPR requires firms to ‘demonstrate compliance‘ in all the operations that involve personal data. This means having policies in place to educate staff on their responsibilities when handling personal data. This isn’t easy, of course: you may well need to draw up some new policies like: a data breach incident plan, big data policy, human resources data protection policy, marketing and data protection policy, social media policy, and bring your own device policy. These documents need to clear, short and jargon-free, so your staff read them and act on them. Don’t shy away from this stage: find your policy gaps and fill them, fast.
Keep suppliers on board
Dealing with GDPR won’t win you popularity contests with some of your suppliers because you are going to need to amend some of your supplier contracts to insert the clauses that are required under GDPR. These clauses spell out what the suppliers responsibilities are when they are handling personal data on your behalf.
GDPR is an action regulation. The time for hesitating has passed. It is a regulation that you can apply to your business if you take action and start applying the necessary steps to your business.
Patrick O’Kane is lawyer and data protection officer for a US Fortune 500 company and is the author of GDPR: Fix it Fast.