We are a small Community Organisation and we do not know where to start with GDPR
Published on: 19th April 2018
By PYXI GDPR Team
The first thing you need to do is make a cup of tea (or coffee) and sit and read this first article which sets the scene. This will take you through the foundation steps to becoming GDPR compliant. Once you've been through this process you will have identified the extent of the personal data you store, and will be able to show why you do what you do with it. See you in a minute...
Welcome back. So now you have the WHAT, WHOM and WHY, we now have to think about HOW you look after the data. This means identifying where it's stored and who has access to it, and any security and safeguarding measures you may have in place to ensure that the data is not likely to be breached or compromised.
With GDPR anyone who touches (processes) your data needs to be recorded as part of your GDPR documentation. So if your email is with Google, or your website is with Shopify, or your mailing list is with MailChimp, you need to check that they are GDPR compliant too. Similarly if your website has a database of customers on it you need to know whether your hosting company is compliant. If you share your organisation's personal data in any way you need to check out the compliance of each organisation you work with.
You'll also need to think about who in your organisation has access to the personal data too. If they can see, edit, delete and use any personal data then they must do so in line with your stated purposes (the WHY) from the previous exercise. Also think about how you can turn off their access if and when they leave your organisation, or no longer need to process the personal data.
58% of data breaches are internal to the business or organisation. This can be malicious, deliberate and criminal abuse of the data (e.g. by a disgruntled ex-employee) or by inadvertent, careless, "accidental" action (e.g. sending an email with some data attached to the wrong recipient). Controlling the risks around internal data misuse is built on clear education and explanation, along with appropriate measures to control access and security. This can also include encryption, anonymisation and other technical security measures. We'll be writing more about these in the coming weeks, so sign up to our weekly GDPR newsletter to hear about them as they are published.
So you know what's what, who does it, what they do, for whom and how the whole thing is managed; now what? You now need to take a little look into the issue of CONSENT. This is where people give their explicit permission to you to use their data in defined ways.
You're probably familiar with the "tick here to receive marketing stuff from us" message. Well that's what we're talking about here: people telling you they are happy for you to use their data in particular ways. This might be giving you permission to send newsletters, advertising, marketing messages and so on, but also might be permitting you to use their data for other business purposes; e.g. surveys, selling things, providing services, and other business activities. If you're doing any of these things with the person's data then you need to ask their permission. Sometimes, in special cases, this can be inferred; as in the situation where someone buys something from you. You would of course store their data for HMRC / accounting reasons. You may also reasonably use their data to fulfil service contracts, arrange delivery or validate and honour warranties. It is still advisable to be explicit in the signup/purchase content and explain that the personal data will be used in these ways for these reasons.
You can't force or pre-tick any consent boxes on contact or sales forms on your website however. Giving consent must be a deliberate and positive act; actively ticking the box to confirm acceptance. Once you've sorted this out, you're really on the home straight.
So now you should know WHAT you process, WHOSE data you process, WHY you're processing it, HOW you're storing it and WHO has access to it, and now you've nailed down your CONSENT process too.
The final step is to plan to repeat and repeat and repeat. Compliance is not a destination. There's no exam pass or fail. As data grows and the uses increase and the apps multiply you'll need to keep on top of how each new addition will affect your own data protection activity and add it in to your documentation. And continually share your thoughts and findings and any policy changes with your colleagues and partners so everyone knows where you stand. To stay compliant you'll need to continually review and think about and work on your compliance.
We'll be posting more articles and tips and insights that we hope will help you to keep up to date, and on top of your GDPR compliance. We'll also be sharing some case-studies to help make it practical and "real". If you've useful experience to share do get in touch. Subscribe to our newsletter or contact us here.
PYXI GDPR Team: 19th Apr 2018 16:27:00
Subscribe to our
Weekly GDPR Newsletter.
It's full of really useful updates
for UK small businesses.
Enforcement Notice For Not Responding To A Subject Access Request
Ainsworth Lord Estates Limited has been served an enforcement notice for not responding to a Subject Access Request. A Lancashire-based business, Ainsworth Lord Estates Limited, has been served an Enforcement Notice by the Information Commissioner... click to read more