GDPR, beyond the basics

Friday, April 20, 2018

With just a handful of weeks remaining until the new era of GDPR is ushered in on Friday 25th May, most practitioners now have a GDPR strategy in place – or at least have a degree of understanding about what it will take to be compliant. As the deadline fast approaches, it is time to dig a little deeper into what working with GDPR will entail.

There are areas within every firm that have the potential to be overlooked or trip up practitioners, if not given due care and attention in time. From software and devices, to HR and marketing, having a firm grip on the complex requirements of GDPR goes far beyond just your relationship with clients and handling their data.

Here, we examine several different areas you may need to consider ahead of the big day in May:

Don’t leave devices to their own devices

Any piece of kit that contains sensitive data needs to be as secure as it can be. Whether it is your own work IT (PCs, laptops, tablets, phones, hard-drives, camera equipment, etc), or those used by others within the practice, keep a register of the pieces of portable technology you save data on, so that you can keep them secure and also identify when an ‘unauthorised’ device is being used. Have a clear policy on using devices outside of the office and using personal devices to access work. A prudent rule is that any device used to access sensitive data – be that of clients, business prospects, suppliers or staff – should have adequate security on it in terms of passwords, no automatic logins to access cloud drives or portals, updated firewalls, and are locked or logged-off from when away from the device. Round up old equipment and wipe of any data before safely disposing of it.

There can never be too many layers of security

This is the time to update passwords, especially those that everyone in a practice share and haven’t changed despite staff coming and going. This includes computers, emails, software, printers, routers, hard drives, cloud storage, drives, files, and any tools or software you share with clients. Passwords also need to be kept secure – there is no point changing passwords simply to then email the new ones around or keep pinned to a noticeboard. Where you can encrypt data, or add layers of security to confirm authenticity, do so – it is not overkill and these are not complicated steps to take.

Ward off viruses and cyber-attacks

If you do not already have decent anti-virus software and regularly install updates to it, this needs to become a priority ahead of May. The free version that comes with a new computer is not necessarily comprehensive enough for business use, so do your homework because it must be able to withstand increasingly sophisticated cyber-attacks. As ransomware, malware and viruses are becoming harder to detect and more frequent, it is pivotal to have regularly updated software, to form your first line of defence. Likewise, a good firewall – for software and hardware – can help protect your network, if set-up properly and access restricted to keep it secure. Consider rules for your practice around whether individuals should be allowed to download apps or software, and if so, define which reputable sources you will allow this from.

Transfer your data as securely as you store it

Consider how data has traditionally, and innocently been transferred between colleagues, departments, or with clients up until now; by email predominantly, but often on memory sticks, or on written notes. GDPR demands a rethink – and it certainly doesn’t allow for personal info being jotted down on Post-its! Anything that can be accidently sent to the wrong person, accessed by someone it shouldn’t, or physically lost or stolen, needs a new approach. If you opt, instead, for cloud storage or shared portals, there must be confidence that the provider has strong data security – preferably with encryption. There are plenty on the market, from recognised IT brands, to add-ons from accounting software providers, so research the options.

Make sure your marketing is compliant too

Consent is a significant aspect of GDPR, including ensuring you seek consent to use an individual’s data for a specific purpose, and don’t stray beyond that. Remember that this consent must be ‘freely given, specific, informed, and unambiguous’. It means being transparent in your marketing when asking people to sign up for future communications from you: make tick-boxes clearly worded and define what content they will receive. It must be as easy for them to unsubscribe from your marketing as it was to subscribe. This also goes for social media and PR; any content that promises an offer, guide, free service, or anything in exchange for ‘registering your details’ runs the risk of not being compliant if those details are used for other marketing purposes. While cumbersome to embrace a different approach, on the plus side, this vigilance in sourcing data from individuals that genuinely want to interact with you can only mean a better level of engagement in the future.

GDPR is not just about external data

It also applies to anything you do with your own employees. Staff data needs to be held securely – and for smaller firms without an HR function, that may mean separate drives or password protected files. The information you seek and retain must be relevant to you carrying out your obligations as their employer; if in doubt, minimise the information you hold, regularly query whether you still need that degree of information, and erase data belonging to previous employees. While proof of identity, NI and bank details were required for payroll when someone joined the business, does it serve a greater risk than purpose to retain this years later? As with GDPR generally, the rights of the individual take precedence; individuals in your employment need to grant consent to use of their data and have the right to know what data is stored.

Use the remaining time to truly understand your role

With so little time remaining, if you have not already established your position under GDPR, you must do – this means determining if or when your business is deemed a ‘data processor’ or ‘data controller’ and concluding whether you need to appoint a Data Protection Officer. They should work with the senior management to run an audit of your current processes – it is a valuable exercise and will give you areas to improve upon. Constantly ask the questions: where is this data arriving from and where will it go? What data is being captured and has consent been given? How should it be processed and stored safely? Why are we using the data and are we handling it correctly? Do we still need this data, and can we easily remove it?

Without a doubt many – if not most – practitioners are finding GDPR time-consuming and complex. It requires a culture shift; doing lots of things different than they have previously been done, educating whole teams and clients, and the stakes are high if changes are not made sufficiently or correctly. Remember that you are not alone, there are plenty of resources and support networks to help you, and there is still just enough time to get to grips with both the basic requirements of GDPR and to dig a little deeper.