1. Have a plan
2. Appoint a data controller
3. Establish whether you hold personal data
If you have employees, if you have personal clients – you do. NB GDPR applies to personal data only, not data on businesses or other entities.
4. Establish how you will gain the necessary permissions
If you have personal data to enable you to provide your services to your clients or to pay salaries to your employees, it is lawful for you to hold and process that data. For any other reasons – marketing, PR etc. you need to obtain permission from the person concerned and they have to “opt in” – you can’t just have a default assumption that they agree. So no pre-ticked boxes on forms or web pages. Also, be aware that when an employee or client becomes an ex-employee or ex-client the relationship with them changes. It may well be that holding their data remains lawful because there may be statutory reasons for you to hold it, but there may not.
5. Access and Transparency
Although it may well be lawful for you to hold personal data, the people concerned – “data subjects” – have rights of access to that data to ensure that it is correct, that it is all necessary for the intended purpose and that it is not being held for an unnecessarily long period. So you have to enable them to have access if they request it, and you have to inform them of their rights of access. The key to this is informing them of their rights in engagement letters or letters of employment. We think it would also be sensible to consider the issuing of disengagement letters when clients move on and equivalent letters when staff move on. You also need to make sure they know who the data controller is, why you need their data, where it will be dealt with and who will have access to it. If you intend to transfer their data to another country, you need to provide details of this and how and why the data will be protected.
6. Establish where your data is held and think about security
GDPR applies to all data, not just the electronically stored kind covered by the current rules. The rules are risk based, so you have to consider the risk of personal data being accessed by unauthorised people Data held on paper, should not present much of a problem – filing cabinets with locks as appropriate and suitable archive facilities ought, in the majority of cases, deal with the security issue, but you will have to make sure your systems are appropriate, depending on the sensitivity of the information stored. Data stored, processed and transmitted electronically may present additional problems. You need to know where the data is and what the security risks are, and you need to take steps to mitigate those risks.
- If it’s held on site – can your systems be hacked?
- Does data leave the office on laptops, memory sticks or other devices?
- Where do you keep your backups?
- Is data transmitted by email or other electronic means?
- If you use the cloud, where are the servers? and do you need further permissions?
