1. Register with the Information Commissioner’s Office (ICO)
If your busines is a data controller it must be registered with the ICO. From 25 May 2018, data controllers will require to pay a data protection fee.
2. Audit your data processing
Map out how you process your clients’ personal data from the moment it comes into your office through to storage and file destruction. Don’t forget to map the personal data of your staff.
You are required to keep a record of certain data processing activities and this audit will provide you with the information that needs to be recorded and which is required to meet other GDPR obligations.
3. Identify all the third parties you share data with
You must have a GDPR-compliant contract in place with data processors and appropriate arrangements in place with other controllers. You may wish to have arrangements with other organisations that you pass personal data to in relation to security and retention.
4. Create a data retention policy
You can only store data for as long as it is necessary for the purpose for which it was processed.
5. Have a written data protection policy
Your data protection policy sets out your approach to data protection and privacy.
6. Create new privacy policies for data processing
There is now an obligation to provide anyone whose personal data you process with a lot more information about how you handle their data.
7. Have a written process for dealing with data subject requests, including subject access requests
You must have a policy detailing how you will deal with requests from clients (and employees/ex-employees) regarding the information that you hold about them. Individuals also have the right to ask for their personal data to be erased in certain circumstances. This can be included in your data protection policy.
8. Have a process and written guidance for what to do in the event of a personal data breach – this could include a cyber attack or loss of paper files
Have in place a written process to set out what to do in the event of a breach and who is responsible for reporting to the ICO/data subject. Ensure that all staff can identify a data breach and are aware of who to inform.
9. Review your approach to marketing to ensure it is GDPR compliant
This is regulated by the Privacy and Electronic Marketing Regulations, which tell us consent is generally required for marketing to individuals and sole traders but not business contacts. You may be able to use the soft opt-in for clients.
10. Train your staff
It is crucial that everyone in your firm who handles client data understands and adheres to your policies for handling personal data. Arrange training to ensure that they are up to speed.
If you plan to buy a product or service for your business in the next 12 months please complete the form below.