Getting Started with GDPR our Top Five Tips
Published on: 27th March 2018
By PYXI GDPR Team
Starting on the journey to GDPR compliance can feel overwhelming, and an almost unmanageable task. We've put together a few practical ideas to help make things a little more bite-sized and achieveable. Here are our Top 5 Tips:
- Just Do It...
Buy a new notebook, create a new Word doc, or open a new file. Write GDPR at the top. OK. Now we've begun. The ICO has said that its regulatory stance will be proportionate and fair to small businesses, but it won't tolerate ignorance. Getting underway, and showing your engagement with this process, is a big tick for your business as far as the ICO is concerned. It will take you some time to sort everything out and become GDPR compliant, particularly as you'll already be really busy with running your business. We suggest breaking the compliance tasks down into small steps that you can tackle in stages, and return to again and again in the course of your work.
- Write it Down - Starting with WHAT YOU STORE
In your new GDPR document (or notebook) start a new page and call it: "Data We Store" and write a list of all the types of Personal Data that you store and use in your business. This can be names, addresses, emails, phone numbers, financial information, legal docs, contracts, etc. anything that you store or use that relates to a person. You'll probably realise that you've forgotten things when you get back to the day job, so keep the file open and jot down anything that you encounter while you're working. This is the first step we've set out on our quick Guide to GDPR Compliance. You can download a copy here, and keep it with your GDPR records. Don't be shy with this process. Document what you've got, warts and all, and then later you'll be able to sort things out and improve your business' data practice.
- Review and Think
Once you've begun to document your business' data and define how you look after the data you use, you will probably need to consider whether you could improve things. (Let's face it, everyone will need to make some improvements.) Based on the types of data you store and whether you store information about high-risk groups of people (like children), you can prioritise the areas that need immediate attention. Actions may include deleting unnecessary data, tightening up security, checking on consent processes, adding in backups, updating user access, and so on. Having done the definition of your business' data this thinking and review becomes so much easier.
- Talk About It
There will always be other people who have some sort of access to your data; there's HMRC for one, probably an accountant, maybe external regulators, and almost always colleagues. The ICO have been very clear about wanting to use GDPR as a way to transform our data culture, and improve how we understand data practice. A key part of the compliance journey will include making sure that all those who access your data know what you expect of them. Training and education and sharing best practice should become part of the ongoing conversation in the business, and any new partners or employees will need to receive induction to bring them up to speed with your approach. It may be advisable to make sure that commerical and employment contracts include necessary provisions for GDPR too.
- Keep Up To Date
As with all new legislation, there are lots of areas that need to be clarified and confirmed in the new GDPR act. In the coming months there will be test cases and further guidance given by the ICO that will provide more explicit information about what is meant by GDPR Compliance in practise. It's important not to miss out on this early-day advice as there's a strong chance it will affect you. You can follow the ICO here, www.ico.org.uk, or sign up to our GDPR Team's weekly newsletter, to stay on top of the most up-to-date information about GDPR in the UK.
PYXI GDPR Team: 27th Mar 2018 10:02:00
Subscribe to our
Weekly GDPR Newsletter.
It's full of really useful updates
for UK small businesses.
Enforcement Notice For Not Responding To A Subject Access Request
Ainsworth Lord Estates Limited has been served an enforcement notice for not responding to a Subject Access Request. A Lancashire-based business, Ainsworth Lord Estates Limited, has been served an Enforcement Notice by the Information Commissioner... click to read more