It’s nearly 5 years since the GDPRs were introduced. Love it or hate it, data protection compliance is a fact of business life. Unless you love data protection like we do (weird) it is most definitely an overwhelming bugbear just trying to keep up, when you just want to get on with the day job!
Although most businesses have in place privacy notices and key policies, they are still nervous about what they don’t know and they still live in fear of a breach (which usually comes left field on a Friday: I have no idea why!). The fear comes from not knowing what you don’t know.
Here would be my three top tips to try and kill some of those unknown unknowns: and it stems from starting at the beginning and getting to know what’s going on in your business. It will help direct your thinking and save time and resource in the long run.
- Map out customer and employee data flows – this is a good starting point to understand what personal data your business is using and for what reason and who inside/outside your business personal data is flowing to and from.
- Do a data protection risk assessment – consider the risks to your customers and employees (e.g., the likelihood and impact (on them), of your business losing their personal data, system security breaches, your business sending personal data to the wrong person) and what measures you can introduce to mitigate these.
- Develop a plan of priorities– you can’t do everything at once! Working out your critical path based on where the biggest data processing risks to your customers and employees lie is a good starting point.
The process of carrying out the above 3 tasks will help you make informed decisions regarding data protection compliance and strategy within your business. In turn, this will massively reduce your white noise and bring you peace of mind.
Moreover, these actions all form the foundations of an overall accountability framework (a record of how you identify and manage data protection risk across your business and the measures you have in place to meet your legal obligations), which is a fundamental building block of GDPR compliance.
The ICO, the regulator for data protection offers useful guidance on these matters, or we can help out with all or any of the above.
Lawpoint carries out a full range of data protection services ranging from all or any of the setup of programs to fully outsourced compliance management and outsourced DPO Services. For more information on this please contact us.
