Is your workplace compliant?

Five months on from the GDPR launch date and here at Laser Red we had one of our first team GDPR refresher sessions, which was provided by local company; Info Lore. As part of being a GDPR compliant business it is important to show a record of training and understanding from all employees. The depth and number of training sessions which are required depends on the job role and level of data that is being handled. A great place to check this is on the Sage website, this details different job roles from marketing and sales to accounts and finance.

What is the purpose of GDPR?

The main objective of GDPR is to protect EU citizens. As much as the topic is open to a lot of controversy, debate and even fear its basic principles should not be mocked. With ‘data’ being a hot topic for a number of years GDPR was brought in to help aid with safe keeping personal data and protecting our identities. There has been an increasing number of data breaches across companies worldwide which have led to sensitive information, including banking details being leaked. These breaches called for a proactive approach to tackle these companies and bring all standards of data protection in line.

The Six Principles

To ensure your company is GDPR compliant does not necessarily take a compliance officer or the need for extra resources. Follow these six principles and you will be on track to protecting your business, employees and clients.

Lawful, Fair and Transparent Processes

Being open and honest about your processes is a very easy measure to take. Ensure your website has a valid privacy policy and there are clear guidelines set out within the business on how you collect, keep and destroy data.

Purpose Limitation

Ensure you’re only recording data that is needed and understand how long you can and should be keeping that data for. Your company privacy policy and guidelines can reflect this, you must have a legitimate business reason to keep that data and consent.

Data Minimisation

Simply ask yourself, why? Why am I keeping or recording this information. If you cannot answer this, then minimise the risk by not recording it in the first instance.

Accuracy

As part of the new data laws inaccurate or incomplete data must be deleted or amended within 30 days. If a client or employee requests for data to be amended you legally have 30 days to action this request. If you’re unsure if the data is correct, it should be safely destroyed.

Storage Limitations

This links very closely to data minimsation, simply if it is not required then do not keep it!

Integrity and Confidentiality

This links very closely to security. Where is personal and sensitive data stored and how.

 

When it comes to data, ask yourself some basic questions:

  • Why do I need this?
  • What permissions do I have to store or use it?
  • How am I going to protect it?
  • When should I remove the data?