Three years on from the introduction of GDPR, Data Protection remains at the heart of the political agenda and the forefront of our minds as individuals remain concerned about how organisations are using their data.
The implementation of the General Data Protection Regulation (GDPR) and Data Protection Act in 2018 received much publicity, when it was implemented back in 2018. However, it is important to remember though that this is a continuing obligation and businesses should strive to improve their processes, demonstrate compliance and embed the principles across their business.
In 2018 you probably reviewed the data you hold on your clients and what process alterations you needed to make to be compliant with the new law. GDPR provides for continuous improvement, ensuring that you carry out a Data Protection Impact Assessment for every new policy or process that you put in place.
You must be able to demonstrate that you are meeting the obligations of “privacy by design” and “protection by default”, which put simply means implementing new technology as required to show data protection is integrated into your business and that it has become the default option for any new processes which are implemented in the future, highlighting risks and reducing these at an early stage.
Recognising who uses your services, what personal data you hold about them, why it is required and where it is stored, will give you a good basis from which to identify the rights of those individuals and what your duties are in relation to these.
Individuals have the following rights in relation to their data:
Right to rectification i.e. for incorrect data to be corrected or completed
Right to be informed i.e. know what information businesses hold and how they intend to use it
Right to erasure i.e. sometimes known as the right to be forgotten
Right to restrict processing i.e. you may store it but not process it further
Right to object i.e. to how businesses use their clients’ data for example to direct marketing
Right to data portability i.e. to transfer data to another organisation
Right in relation to automated decision making i.e. to ensure an individual can always access human intervention
Right of access i.e. otherwise known as a subject access request.
Do you have a process for recording the actions you take when a data subject requests their personal data (sometimes known as a subject access request) or when they seek for their personal data to be erased or transferred somewhere? Remember, you need to comply with any request within one calendar month in most cases, so your processes need to enable you to comply and record your actions.
Embed the Data Protection Culture
Foster a culture of data protection and information security; ensuring staff know what their obligations are, what the reporting structures are for any breach and that they are aware of the consequences of failure to comply. Your business needs to know its obligations, however it is important to recognise that this is not limited to management or senior roles, since any person within an organisation can breach the regulations, for example an email sent to the wrong person in error or direct marketing materials sent without appropriate consents.
Given the increased fines and reporting timescales, embedding a culture within your organisation to ensure that everyone is aware of these implications and that they are appropriately trained will be crucial to demonstrate a commitment to the importance of responsible handling of personal data.
Train your staff
The Information Commissioner has previously stated that “staff are your best defence and greatest potential weakness – regular and refresher training is a must”.
Keep an eye on future developments
The UK’s exit from the EU will undoubtedly bring about change in this area. With adequacy as of yet confirmed, businesses need to remain agile to future change to ensure that you are able to take any extra steps that may be required.
At Dispute Resolution Ombudsman and the Furniture & Home Improvement Ombudsman we run training courses on all aspects of this law. With exercises designed to embed the principles of data protection and practical tips for completing your data audits, the course is designed to empower your staff to know and demonstrate their commitment to protecting your customer’s data and your organisation’s continued commitment to responsible business practices.
We delivered this course via a virtual platform on 25 May 2021 (co-incidentally the 3rd anniversary of GDPR). Feedback continues to be strong with delegates stating that they would recommend to colleagues.