Steps to Protect Your Business and Ensure GDPR Compliance

New and established businesses often ask us what key areas to consider when protecting their business. There are, of course, many different legal issues that might arise whilst you are running your business. From ensuring adequate terms and conditions, robust employment contracts, and secure property arrangements, there are many legal pitfalls that businesses may inadvertently need to overcome. An area that may be forgotten by businesses but is increasingly used by individuals and consumers relates to a company's use of personal data.

Understanding the Legal Pitfalls in Business Operations

There surely cannot be a business that does not remember the impact of GDPR in 2018. More challenging for companies is how they have continued to adapt and evolve with changes in which they manage and use personal data and whether, in turn, they have managed to remain compliant with the law and GDPR legislation.

The Lasting Impact of GDPR on Businesses

GDPR was intended to give individuals greater control over how their personal data is used. We now see increased requests from individuals for subject access requests and allegations of misuse of personal data. We frequently assist our clients with responding to subject access requests. These can both be costly and time consuming. So, what can you do, as a business owner, to ensure your business remains GDPR compliant?

How to Stay GDPR Compliant: Practical Steps for Business Owners

Here are some essential steps to help protect your business:

Ensure that you know what personal data you hold

The most important starting point is for a business to be entirely clear about what personal data it collects and processes. A business should understand the different ways it receives personal data: via its website, emails, written correspondence, from customers or suppliers written notes or memos. These are just some of the ways in which a business may obtain and process personal data. It is often easy to see how a business might overlook personal data coming into its organisation.

Understand why you are collecting personal data

Once a business knows what personal data it holds, it will need to determine the reason for holding that data and ensure that any processing meets one of the six lawful grounds contained within GDPR. Whether you have explicit and informed consent, a legitimate interest, or a need to process personal data for the fulfilment of a contract, the reason must be lawful.

Securing and safeguarding the personal data you hold

Having confirmed that you have a legal right to process personal data, it is now vital that your business has sufficient safeguards in place to protect an individual's personal data. Safeguards that your company puts in place should be proportionate to the personal data you hold and damage that may be caused by such personal data being breached. A business should consider encryption and secure storage as a starting point. 

Only retain the data as long as necessary

It is essential to ensure that personal data is kept secure, as businesses should only retain such personal data for as long as necessary. Of course, this will change from business to business, and in different circumstances, business may have a legal obligation to retain personal data for specific periods of time. However, as an organisation, you should consider how long you realistically need to keep personal data. Once there is no longer a need to retain that personal data, you should have a safe and robust process in place to destroy and dispose of that personal data.

Ensure your employees are GDPR trained

Having completed the steps above, everybody within your business must clearly understand their duties and responsibilities when handling and processing personal data. At this point, it's also worth mentioning that personal data is not exclusively that of a business's customers but would also include the personal details of the business's employees. Careful consideration should, therefore, be given to what personal data a business holds with respect to its employees, how that is processed, what the lawful basis is, and when such data would be destroyed.

Ensuring Transparency with Updated Privacy Policies

A requirement of GDPR is that all businesses must comply with the transparency requirements. This requires all business that collect personal data to notify those individuals about their data handling processes. The most effective way most organisations will notify individuals is through a privacy policy or similar document. Frequently, privacy policies will be found on a business's website, but it is important to remember that this is not the only forum in which personal data will be collected and therefore, privacy policies should be made available at any point where personal data is being obtained. Privacy policies should also be regularly checked and updated as an organisation's data policy changes. We frequently see businesses caught out due to them not having updated their privacy policy and maintaining good personal data hygiene.

The Consequences of Non-Compliance: Fines, Risks, and Reputational Damage

Fines can be levied against business for failing to comply with GDPR, which may be as high as 20 million euros or 4% of the company's turnover. In addition to fines, there is also potential reputational risk, the amount of time that must be spent to resolve complaints, subject access requests, and other issues that may arise.