25 October 2020

The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,
When my eyes beheld an eerie sight.
For a monster problem began to rise
And suddenly, to my surprise,
There was a breach, a data breach.
How far’d it reach, that data breach?
Where did it reach?

Don’t be left singing your own version of the Monster Mash this Halloween!

There are ghouls and ghosts aplenty in cyberspace, many of whom would love to get their hands on the personal data held by your organisation or business.

You can avoid your data protection becoming a Halloween horror story by following these seven simple rules:

1. Map the personal data you hold

From online in the cloud to in documents in your filing cabinets.

The General Data Protection Regulation (GDPR) gives data subjects rights including the right to know what personal data an organisation holds on them. So, you’ll need to know where all the personal data is in your business or organisation so that you can reply to any Subject Access Requests you receive.

You’ll also need to know where this data is held to ensure you have the right, GDPR-compliant security measures in place to prevent breaches like this in the first place.

Think of it as being like the garlic which wards off vampires!

2. Find out if you hold ‘special category’ data

You’ll need to understand what this data is and why it’s so important that it is held securely.

Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where it’s used for identification purposes), data concerning health, data concerning a person’s sex life and data concerning a person’s sexual orientation.

There are also strict rules about the holding of data detailing any criminal offences.

If your organisation holds special category data, it must be securely held and only processed under the nine specific conditions set out in GDPR. You can see them here.

This sensitive data needs special handling as it could cause serious harm for a subject if it is wrongly released or hacked.

The last thing you need is your data Frankenstein’s monster being seen in all the wrong places!

3. Review your data collection, processing, and holding policies

On what legal basis is personal data held, and for how long? Do these policies need to change?

You need to ensure that you collect, hold, and process personal data under a relevant legal basis. You need to get it right from the start and cannot swap legal bases later.

The potential bases are included in Article 6 of GDPR.

They are consent for a specific purpose, contractual matters, legal obligation, vital interests (in other words, to protect someone’s life), a public task, or legitimate interests (unless there is a good reason to protect the data which overrides these legitimate interests).

How long do you NEED to keep data? The longer you have it, the more work there is if someone puts in a Subject Access Request.

Keeping data needlessly can come back to bite you like one of the Walking Dead!

4. Identify your DPO, data processors, and make sure your registration with the ICO is up to date

Most businesses which hold personal data must be registered with the ICO (Information Commissioner’s Office).

A Data Protection Officer (DPO) is mandatory when the organisation is a public authority or body, when the organisation’s core activities consist of data processing operations that require systematic and regular monitoring of data subjects on a large scale, or when an organisation’s core activities include the large-scale processing of special categories of data or personal data relating to criminal convictions or offences.

So, SMEs can fall into this category, depending on their core activities.

You can also choose to appoint a DPO whether or not it’s mandatory, as having the people in place to deal with requests under GDPR and data queries will also help you comply with the deadline to reply, which is generally a month.

When you get an SAR, who you gonna call? Your DPO, of course…

5. Organise refresher data protection training for your staff

This branch of law can be complicated as GDPR impacts on the Data Protection Act 2018 and the PECR.

GDPR, in particular, is still a new law and its implementation is developing as case law develops.

So, it’s worth being up to date on the latest case rulings and what that means for data protection in general.

6. Keep careful records of how you’re using data

Subjects have the right to know how you’re using their data and whether it complies with the legal basis for collecting, holding, and processing it.

So, ensure your records are detailed enough to ensure you know how that data is being used. For example, data collected under the legal basis of an ongoing contract should not be treated in the same way as data collected for the specific purposes of marketing.

Sending existing customers marketing messages can be problematic.

Keep better records than Dr Frankenstein!

7. Call on the services of a data protection consultant!

It’s an obvious step for any business or organisation which needs specialised, expert help in data protection. Your consultant will be able to ensure your processes are fit for purpose, they will highlight any potential areas of concern, and will suggest ways to ensure your data protection systems are robust. Some, including our founder at IOLIS, will also act as an outsourced DPO. Think of them as your business’s own ghostbusters!

Do you need specialist advice on dealing with data protection horrors? Please call us on 029 2000 2339 or email contact@iolis-legal.com.

Recent Posts

5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more
How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among the new rights it introduced was the right for individuals to ask to have their personal data […]

Read more
What are the 4 common data protection mistakes which could cost your business dearly?

Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities, generally within 72 hours. In the UK, that’s […]

Read more

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
13 October 2020
What are the 4 common data protection mistakes which could cost your business dearly?
Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities,…
Read More
25 September 2020
Five Reasons you should not use WhatsApp in your business
As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems