GDPR - you need to undertake an information audit

In just over 4 months, your business will need to be GDPR compliant. No ifs, no buts, no maybes.

We await the UK’s own new Data Protection Act 2018 which is still being debated over in the House of Lords. This new Act will consolidate and add to your responsibilities which are already set out in the European GDPR and so whatever the UK Act says, you still need to be GDPR compliant as of 25 May 2018.

If you are already cracking on to ensure you will be compliant, then you will be ahead of the game. However, if you are reading this and have been trying to ignore GDPR or think it doesn’t apply to you then you probably need to have a rethink.

First up, you need to undertake an information audit. As a business you will almost certainly use peoples personal data (writing a customer’s name on an invoice means you are using their personal data – it really is that basic) and if you do, then that makes you a Data Controller for GDPR purposes.

A Data Controller under GDPR is the organisation which collects and uses the personal data. If you sell cars to individuals or are a service and repair garage  – you are a Data Controller. The first 2 steps we suggest you take are to:  

1.    List what type of data you hold

2.    Work out on what basis you are legally allowed to use that data   

Your audit doesn’t have to be sophisticated, it could be as simple as this:

Type of data – customers details on invoices  
Legal basis for using this data – necessary for performance of a contract, compliance of a legal obligation (keeping accurate records for HMRC)  

Type of data – employee details
Legal basis for using this data – necessary for performance of a contract, compliance of a legal obligation (need to pay their tax, NI etc)

Type of data – customer emails and postal addresses for sending out MOT reminders
Legal basis for using this data – consent (more on this next time) and, arguably, legitimate business interest (more on this to come too).

In very simple terms, as a business you will use personal data, your starting point is listing what type of data you hold and then working out the legal basis on which you are allowed to use it. Once you have done that, you need to think about how you look after that data – physically and digitally.   

Should you require any further advice or guidance in relation to the new General Data Protection Regulations Lawgistics members can talk to the legal team.

 

Authors: Nona Bowkis

Published: 09 Jan 2018

Comments

To ensure you are a real person signing up and to prevent automated signups (spamming) could we ask you to copy the letters and numbers shown below into the box.

(cAse SeNSItivE!)

There are no comments



Share this Article