The grave financial risk presented by steep fines in the GDPR is enough to force most companies and organisations to pay attention and do whatever they can in order to ensure compliance with its provisions. While technical measures are extremely important, you also need competent staff that will be able to handle the increased requirements stipulated within the GDPR.
Even though real training usually takes the form of privacy seminars and workshops, those are often very expensive for smaller companies. This is unfortunate, as small enterprises are especially at risk from the GDPR, since most lack the dedicated manpower for privacy and data-related issues. However, there are a few basic concrete steps you can take yourself to significantly improve data protection throughout the company in a cost-effective manner.
1. Handling Personal Information Requests
The GDPR stipulates that individuals have the right to obtain a copy of all personal information your company holds on them. You should have the information readily available, tagged and safely stored.
But it does not end there. Your staff must be made aware of the fact that they are required to accommodate all reasonable requests. You must provide individuals with a copy within a month, free of charge, unless the requests are onerous and repetitive. If the latter is the case, inform your staff they have the right to refuse to respond, but they must inform the individual of their right to appeal.
The identity of the individual must be verified and referenced against the data in your possession. This can be done via ID scans, security questions and similar. When providing data, do it in a commonly used format if data is in electronic form. However, they should take care not to provide data relating to other persons without their explicit permission.
Advise your employees not to disclose personal information about any of your clients or users to anyone over the phone. As with the previous point, you should instate an ID verification mechanism that will be used to verify the callers’ identity.
Perhaps less obviously, these checks are also required when making outgoing calls. You never know if a person’s phone number has been changed or a phone stolen. Written communication is king; avoid giving away or receiving personal information over the phone.
3. Dealing with Customers
It is of utmost importance to keep your customers and users up to date regarding the use of their data. The customers have the right to update their data. Your staff should allow them to update their records at any time, especially their preferences regarding marketing, i.e. opt-outs.
Make sure to obtain consent prior to collecting and processing their data. You should prepare consent forms beforehand, and require explicit opt-in for customers (during online registrations, for example). You can also have your staff delete data when not required anymore (as it should be outlined in your security policy).
4. Personal Data Safeguards
Simple organisational guidelines can go a long way towards ensuring that user data is safe. This includes very easy and intuitive practices.
You can mandate regular password changes, such as every 3 months. Take care not to make the changes too often, as staff will tend to write the passwords down. Impose the obligation to log off one’s workstation when not physically present in the office to prevent unauthorised access.
Installing anti-spam and anti-virus programs helps, but so does educating your staff not to open suspicious attachments of dubious origin.
Physical data should also be paid attention to. Make sure to shred sensitive documents that are not required anymore. When deleting personal data, ensure you have destroyed physical copies as well.
If you are employing a BYOD system, it is advised to restrict this privilege when working with sensitive data. Foreign devices, such as USB sticks or mobile phones, could compromise workstations with stored secure data. Unscrupulous staff could also easily take screenshots of the computer monitor and leak the data in that manner.
5. Breach Reporting
Not reporting a breach that has occurred as soon as possible, within 72 hours, is a serious breach of the GDPR warranting a substantial fine. Inform your employees that reporting any breaches to the supervisory authorities is mandatory as soon as the breach is detected.
They should note all the relevant details regarding the reporting and keep the records in a safe place. This will help in the case of further investigation by the regulatory authority.
6. Risk Assessment
The area where most small companies are lacking in expertise, but which is incredibly important for the overall effective and smooth functioning of your data processing activities, is risk assessment. The basic premise is simple: not all data is equally sensitive or valuable, so some data warrants special treatment. Other pieces of data, however, require only a basic level of security since its loss would not present severe issues, even in the case of a breach.
The evaluation of risk requires a certain level of prediction, but it should be an educated best guess. In simplest of terms, the higher the risk of a breach, and the more sensitive the data is, the riskier its processing becomes. Such data requires additional safeguards to ensure its processing does not present a breach risk.
Take all the factors into account: Has your company suffered any cyberattacks lately? Are you processing data from a large number of users? Does the data contain personally identifiable information? Do you adequately log data? How good are your organisational data security measures? How about technical measures?
Abiding by the tips listed in this article should strengthen the last two criteria, particularly the organisational measures. A lot can be done just by introducing access controls and preventing unauthorised devices from being used on company workstations. Other measures are best introduced by your DPO, who will evaluate the entire company’s weaknesses in the field of data security.
To ensure accountability among the staff, it pays to consider non-disclosure agreements as part of working with especially sensitive personal data. In most cases, this extreme measure will not be required, but regardless, the staff should be informed of the consequences of neglectful approach towards data security and possible consequences (huge fines for the company).
Periodically review the confidentiality policies with your staff and make sure they understand all roles, responsibilities and obligations placed upon them regarding personal data security.
8. New Hires
New employees should be acquainted with the privacy best practices as soon as possible. If you regularly employ new staff, consider setting up a brief privacy training programme developed in conjunction with your DPO. That way, new employees will get up to speed quickly, with minimal downtime and as few errors as possible.
Despite your best efforts, eventually you will have to pay extra for staff education, so why not make it count?
Ask your employees what it is about the GDPR that they find especially confusing. Are there any gaps in their knowledge? Are some practices not up to par? This is all to be expected, and in most cases your staff is not to be blamed for it.
Collate their answers and then decide what areas require particular attention. Make sure to incorporate those into a clear security policy for the protection of personal data.
A data protection officer (DPO) could do all those tasks for you (and, in fact, should, as per the GDPR Articles 39 and 47). Appointing a data protection officer is not mandatory for companies that rarely process personal data, but it is a good idea nevertheless. A DPO can be outsourced and shared among companies to save on costs, while still letting you reap the benefits of a trained expert.
10. Security Policies
This should be the end product of your efforts, and it should include all the aforementioned points in a clear, concise and understandable manner.
With the help of a (possibly outsourced) DPO, you should draft a company-wide security policy that will serve as a reference point and a role model for your staff. A security policy is a building block upon all other privacy and data related activities are based, as stipulated in Articles 24 and 32 of the GDPR.
Security policies contain all organisational and technical measures employed to ensure the safety of data. You should revise the policy annually. The most important part is to delegate clear roles and responsibilities to the staff. There should be no ambiguities.
A good security policy will also include a contingency plan in case of a data breach.
While spending a pretty penny on ensuring compliance is inevitable in the grand scheme of things, sound policies can help you cut down on costs considerably. This is especially true for smaller companies, where a hands-on approach can bring about great overall improvements.
However, expert advice is still necessary. Our experience suggests that not many small enterprises have their own privacy departments, so hiring a privacy expert is a very good idea. This is also strongly recommended in the GDPR, where a data protection officer does the bulk of the hard work. We therefore you suggest to appoint a qualified DPO. If the costs seem too large, outsourcing is a great option that can help you improve the overall privacy policies of your company, without putting a huge dent in your overall earnings figures.