Data Protection – Common Issues We See “on the Ground”
It is 9 months since the launch of the GDPR and we have all learned a lot. Our experience on the ground is probably the biggest lesson of all. Despite Data Protection Laws being around for decades many firms are still unused to the concept of consciously protecting personal data. I say consciously because most firms are already trying to protect data albeit in a piecemeal and unstructured way.
In many cases businesses aren’t entirely sure what personal data they process. And because of changes in systems and personnel over the years, they can’t pinpoint exactly where all the data is stored either. This aspect is worrying. You can’t protect data you don’t know you have, and you most definitely can’t respond to a subject access request on time if you don’t know where to find the information.
Data Subjects Rights
Some businesses are under the impression that they don’t need to know about data subject’s rights until such a time as they are invoked. But the risk of that approach is not recognising a request when it comes in and being unprepared to deal with it in a timely manner. Businesses who think they are too small to be on the DPC’s radar are fooling themselves. All it takes is one breach, one complaint or one headline to draw the attention of the regulators. No business is too small to be GDPR complaint. And remember, in the absence of a compliant privacy statement; your website is a giveaway of non-compliance.
Sharing Data with Third Parties
Most businesses share personal data with third parties. This can be for a multitude of reasons; It may be necessary for the provision of services, legal or financial advice, placing investments or using expert witnesses etc. To protect data subject’s personal data such a transfer arrangement must be governed by a carefully drawn up contractual agreement. This becomes somewhat more complex where data is transferred outside the EU.
Business that have grown organically often find that they lose an understanding of their technology. What started out as two PCs and a couple of landlines has developed into a myriad of mobile technologies. Businesses need to implement encryption, virus protection, file-sharing systems and IT usage policies to get anywhere near protecting data. Understanding how these systems work, should be the responsibility of a key member of staff.
Transparent communication is essential under the GDPR. At Ambit Compliance we have found that many businesses are collecting and requesting information without fully explaining the purpose. While the reasons may seem obvious to your business you should not assume that clients will understand why they are providing personal data. A key example is requesting Anti Money Laundering (AML) documentation: Telling someone the purpose is because ‘it’s the law’ just isn’t good enough.
The GDPR has been a huge eye opener for businesses. It has forced them to reflect on their operational processes and technical capabilities. Tackled carefully it represents an enormous opportunity to tidy up systems and to create safer, future proofed operational processes.
Let our people help your people in achieving compliance, contact us now for advice and support – [email protected]