How to Review Your Data Protection Compliance

Tomorrow is the three-year anniversary of the implementation of GDPR in 2018, so it’s time to think about reviewing your Data Protection Compliance.

When was the last time you audited your data processing and reviewed your strategies for keeping that data safe?

If you’re saying, 2018, then you’re probably not alone. But GDPR and, more specifically for us in the UK the Data Protection Act now that we’ve left the EU as you’ll see in my earlier blog The Effects of Brexit on GDPR, is legislation that is constantly being reviewed and updated.

Things have changed since 2018. We’ve learned a lot more about how data should be processed safely, the impact Brexit has had on how we protect data and our responsibilities as business owners and data controllers.How to Review Your Data Protection Compliance

Now is a good time to look at your data and then review where you are, and I want to run through how to do that with this blog.

How to audit your data and remain compliant with GDPR and DPA

Step 1. Review your systems

Check through every app, system and process that you use to confirm what you’re still using, what you haven’t used in a while or have stopped using, and anything you’re thinking about using in the future.

This will help you identify where data is being processed and stored. It will also allow you to remove data from systems you’re no longer using to prevent potential breaches in the future from forgotten about accounts.

Step 2. Review your team

Who is on your team, who do you outsource to, and who has access to the data you store and process in your business? Make sure that your team only has access to the data they specifically need to do their work for you.

You should also consider the devices used to access and process data and the security that’s in place on them. Is the wi-fi secure, is there encryption in place and is 2-factor identification being used for logins?

Step 3. Create a data map

Map out how data comes into your business and confirm the lawful basis for collecting data at every point of receipt.

Now consider where data leaves your business and why this might be:

  • For invoicing and accounting purposes
  • To use the data in order to fulfill the work i.e., posting out a purchased item
  • Collecting payment information on your website/booking system
  • Collecting health information to provide a service or deliver a class, i.e., yoga class or massage therapy
  • To chase debt

Those are just a few reasons for data leaving your business and being used on apps, systems or by third parties. You’re likely to have your own reasons but it’s crucial to understand what they are and how data is used for them.

Step 4. Review your Data Protection Impact Assessment for special category data

This is data that requires additional protection due it being sensitive. Identify if you hold or collect sensitive data about your clients, such as:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation

If you do use this kind of data within your business, your next step is to confirm the physical location of where this data is stored, i.e., where the third-party apps you might store this information on have their servers located. If it’s in the USA, you should consider moving to the UK or EU-based apps and systems instead as the USA data protection in place isn’t currently as stringent as in the EU.

You can find out more about special category data and what you need to do with it at the ICO’s website here.

Step 5. Identify EU citizen data

Even if all your clients/customers live in the UK, if any of them are an EU national, their data falls under GDPR jurisdiction rather than the UK’s Data Protection Act following Brexit.

Make a note of these individuals in your system. You may not need to take further action than this, but you’ll know whose data might need treating differently in the future once we’re fully withdrawn from the EU and our DPA is fully reviewed and updated, or if changes to the EU GDPR are made in the future.

Step 6. Review your internal data protection processes

What processes do you have in place to deal with the retention of data? This is where you need to store data but aren’t actively using it with a client, this is often the case with health-related data or tax records if you’ve provided financial services within the last seven years. Think about where and how this data is stored, who can access it, and how you’ll know it’s time to delete it from your systems.

What processes do you have in place in case any data breaches occur? Think about knowing when a breach has happened – what will alert you to it? How will you inform your customers about the breach and what will you do to reinstate security as quickly as possible?

What processes do you have in place for Subject Access Requests? Anyone that has interacted with your business can request the data you have collected and hold about them at any time. How will you respond to these requests and give them this data securely?

Step 7. Review your contracting processes

Identifying your third-party processors, apps, systems and the people you outsource to is important to understanding where data is being sent to and used. Make a note if any of these processors are EU-based and fall under GDPR rather than the UK’s DPA, as this might mean making changes in the future when things are finalised following our Brexit transition period.

Step 8. Revisit your privacy policy

If anything has changed since your last audit and data protection review, make sure that your privacy policy reflects these changes. You might also need to update your contracts too.

A lot of business owners will copy and paste privacy policies that look good when they search on Google or use the ones pre-loaded with WordPress plugins. Every privacy policy should be unique to that business, so if this is something you’ve done, you’ll definitely need to update it.

If you aren’t sure how to do that, there’s some very useful information and a free template over at the ICO, and the Koffeeklatch website has some policies you can purchase that come with a mini-course to help you understand GDPR better and what you need to do to tweak the policy for your business.

I know that the world of data protection and GDPR can be confusing which is why I offer a support service to help you audit and understand your data and give you the information you need to act on to be compliant with current legislation. Click here to find out more