You might be heaving a sigh of relief that the steady stream of GDPR emails have come to a close, but if your business handles personal data there's a lot more GDPR still to come. Here are the aspects of GDPR that your staff have to get up to speed with, and the ways that you should talk about it.
Make sure everyone actually knows what it is
Ok, there's a lot of stuff going around about GDPR, and it's unlikely that your staff won't know anything about it - but there's also a lot of misinformation out there, or outdated information from when the GDPR was first announced. It's a complex subject, so start with defining it to get everyone on the same page.
What constitutes personal data?
This is essentially anything that pertains to a person - as little as an email address with your name in it. If you can use the information to trace it back to a person, it's considered personal data. This is massively wide ranging, so if you have that information in your possession, you have to adhere to GDPR. Make sure your staff know which data they're handling that comes under this description.
Talk about the terms they'll come across
Your employees might not be familiar with some of the terms pertaining to GDPR. For example, 'controllers' and 'processors'. A controller determines the process and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Sub-processors do the processing on behalf of another company - like someone sorting your business' payroll. These terms are going to come up again and again. Make sure your team know them inside out.
Prepare for the GDPR principles
The principles of GDPR refer to the specifics of the information you can hold. So it must be lawful, limited, accurate and up-to-date, kept for no longer than is necessary, and secure.
A lot of your employees might not come across this kind of thing often, but familiarising them with these regulations and provisions are important for your business. It will go some way to preventing employee missteps and mistakes when they're handling customer and client data. Ensure that everyone understands the principles, and which apply to your company.
Rights for individuals
There are 8 rights for individuals within the GDPR. Discuss the ways that these rights relate to your business; it might be helpful to provide examples of when your clients and customers can exercise these rights, and when they cannot.
It's also worth mentioning the amount of time you have to respond to some of these requests - which is a month. Additionally, these rights are not absolute -under some circumstances they can be refused. Make sure your staff know the chain of response when a customer or client submits a GDPR request, and who to refer these requests to. This will prevent these requests being lost internally, and ensure you continue to adhere to GDPR.
Think about the weirder ways it could apply to your employees
A good example of this is old emails. If your employees are hanging onto emails, or filing them away in a folder, they could be inadvertently retaining personally identifiable information. If this is retained for a certain length of time you could be in breach of GDPR. Consider any and all ways that your employees might be hanging onto other's information; it will make your GDPR compliance watertight.
Have a chat about hacks
Any organisation, no matter how small, can be hacked. Under the GDPR, you must report a personal data breach within 72 hours of discovering it, and it must be reported to the relevant supervisory authority. Or else pay hefty fines. If you don't do this, or your security is found to be lacking, you'll be billed enough to put most SMEs out of business.
As per the GDPR, you should also now have a listed Data Protection Officer. Make sure your staff know who this is, and how to get in contact with them if they need to - just in case any internal or external problems occur.
Don't panic
This could be a huge change in the way that you're operating, and it's only natural to feel a little uncertain about it. If you need to chat to someone, give CyberShelter a ring - they'll be able to give you up-to-date advice on everything GDPR.
Tweet us @TranscenditUK