I was working as a DPO, late one night,
When my eyes beheld an eerie sight.
For a monster problem began to rise
And suddenly, to my surprise,
There was a breach, a data breach.
How far’d it reach, that data breach?
Where did it reach?
Don’t be left singing your own version of the Monster Mash this Halloween!
There are ghouls and ghosts aplenty in cyberspace, many of whom would love to get their hands on the personal data held by your organisation or business.
You can avoid your data protection becoming a Halloween horror story by following these seven simple rules:
1. Map the personal data you hold
From online in the cloud to in documents in your filing cabinets.
The General Data Protection Regulation (GDPR) gives data subjects rights including the right to know what personal data an organisation holds on them. So, you’ll need to know where all the personal data is in your business or organisation so that you can reply to any Subject Access Requests you receive.
You’ll also need to know where this data is held to ensure you have the right, GDPR-compliant security measures in place to prevent breaches like this in the first place.
Think of it as being like the garlic which wards off vampires!
2. Find out if you hold ‘special category’ data
You’ll need to understand what this data is and why it’s so important that it is held securely.
Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where it’s used for identification purposes), data concerning health, data concerning a person’s sex life and data concerning a person’s sexual orientation.
There are also strict rules about the holding of data detailing any criminal offences.
If your organisation holds special category data, it must be securely held and only processed under the nine specific conditions set out in GDPR. You can see them here.
This sensitive data needs special handling as it could cause serious harm for a subject if it is wrongly released or hacked.
The last thing you need is your data Frankenstein’s monster being seen in all the wrong places!
3. Review your data collection, processing, and holding policies
On what legal basis is personal data held, and for how long? Do these policies need to change?
You need to ensure that you collect, hold, and process personal data under a relevant legal basis. You need to get it right from the start and cannot swap legal bases later.
The potential bases are included in Article 6 of GDPR.
They are consent for a specific purpose, contractual matters, legal obligation, vital interests (in other words, to protect someone’s life), a public task, or legitimate interests (unless there is a good reason to protect the data which overrides these legitimate interests).
How long do you NEED to keep data? The longer you have it, the more work there is if someone puts in a Subject Access Request.
Keeping data needlessly can come back to bite you like one of the Walking Dead!
4. Identify your DPO, data processors, and make sure your registration with the ICO is up to date
Most businesses which hold personal data must be registered with the ICO (Information Commissioner’s Office).
A Data Protection Officer (DPO) is mandatory when the organisation is a public authority or body, when the organisation’s core activities consist of data processing operations that require systematic and regular monitoring of data subjects on a large scale, or when an organisation’s core activities include the large-scale processing of special categories of data or personal data relating to criminal convictions or offences.
So, SMEs can fall into this category, depending on their core activities.
You can also choose to appoint a DPO whether or not it’s mandatory, as having the people in place to deal with requests under GDPR and data queries will also help you comply with the deadline to reply, which is generally a month.
When you get an SAR, who you gonna call? Your DPO, of course…
5. Organise refresher data protection training for your staff
This branch of law can be complicated as GDPR impacts on the Data Protection Act 2018 and the PECR.
GDPR, in particular, is still a new law and its implementation is developing as case law develops.
So, it’s worth being up to date on the latest case rulings and what that means for data protection in general.
6. Keep careful records of how you’re using data
Subjects have the right to know how you’re using their data and whether it complies with the legal basis for collecting, holding, and processing it.
So, ensure your records are detailed enough to ensure you know how that data is being used. For example, data collected under the legal basis of an ongoing contract should not be treated in the same way as data collected for the specific purposes of marketing.
Sending existing customers marketing messages can be problematic.
Keep better records than Dr Frankenstein!
7. Call on the services of a data protection consultant!
It’s an obvious step for any business or organisation which needs specialised, expert help in data protection. Your consultant will be able to ensure your processes are fit for purpose, they will highlight any potential areas of concern, and will suggest ways to ensure your data protection systems are robust. Some, including our founder at IOLIS, will also act as an outsourced DPO. Think of them as your business’s own ghostbusters!