It might seem like a silly statement to make when I offer GDPR services, but there’s only so much you can outsource to reach full compliance. I’m offering support and guidance based on my understanding of the new law – General Data Protection Regulation.
The guidance around the law itself may change as we move forward and points become clarified, test cases are heard, and the PECR update (the Privacy and Electronic Communications Regulations) will have an impact as the two regulations work together.
GDPR compliance is a process that you have to be involved in every step of the way.
Unfortunately, it isn’t something you can outsource to someone else in your team, or anyone else really. Even Data Protection specialists and lawyers will tell you there’s only so much they can do on your behalf. That’s because you’re the data controller for your business. No one else can take that on for you, the buck rests with you.
Yes, I can assist with your data audit and figure out how you obtain, process and store personal data within your business. I can help you update your mailing list and make sure it’s compliant with GDPR, and I can add policies to your website and ensure it’s updated for security reasons.
But I can’t do everything you need to be fully compliant. Here are the reasons why.
1. I can’t decide your legal basis for processing data
Under GDPR, if you want to process personal data for your business, you must satisfy one of a few conditions, known as ‘the legal basis’ for the activity. These are:
Consent, where the individual has given explicit consent for their personal information to be processed.
Contractual, where the processing of an individual’s data is essential for the performance of a contract, or to enter into a contract.
Legal obligation, it’s necessary to process data in compliance with a legal obligation.
Legitimate interest, if on using a balancing test there is legitimate interest to process personal data which won’t infringe on the rights, interests or freedoms of the individual. Marketing similar products after a recent sale would be a possible basis in this instance.
Public tasks, where processing is necessary for the performance of a task carried out in the public interest. Emergency services and their actions would likely fall under this category.
Vital interests, where the processing of data is necessary to protect the vital interests of the data subject or another person.
You know your business best and are the only one that can decide which legal basis is appropriate for each individual’s data you process. This is something that might change over time, or in certain circumstances. For example, if you’re a therapist or counsellor and need to take additional data to protect your client as part of a safeguarding issue, for instance.
2. I can’t make you change the systems you use
Some systems are GDPR compliant, and some are not. I can help you audit your systems and processes and give you a list of which ones are compliant, but it’s up to you to take that information and decide whether to change the non-compliant systems or run the risk of not changing them and hoping for the best!
Knowing how each piece of software processes data, where it’s stored and what kind of encryption is used, and whether this is compliant with GDPR is key.
3. I can’t be there every time you get a new system
Does that surprise you?
Take a moment to think about it. I can audit the systems you’re using at this moment in time and let you know the results. I can’t be there every time you shop for a new system or software to use within your business and give you an instant verdict.
I can tell you what to look out for and how to add it to your data audit, but it’s ultimately your decision. Bear in mind that software and systems may change how they process and store data over time, you need to be auditing regularly to remain compliant.
GDPR is about the decisions you make every day as a data controller
Which is why I can’t help you reach full compliance.
Every day you’re having to comply with GDPR – when it’s meeting a new client, taking details for a new sale, or you’re using personal data within your day to day business tasks. I can’t help you with each and every decision you’re going to make as a business owner.
What I can help you with is evaluating the data you have, identifying where the data is held (both physically and on your online devices/cloud storage), and reviewing your trail of consent.
If you’d like to find out more about my GDPR services and how I can help your business, contact me today.