As business owners, we are specialists in our own right. But we do not know everything – no matter how much we Google. Sometimes, it is too time-consuming to do it ourselves, too technical or just brain-numbingly boring. That is when we need to look externally for help, either as a long-term solution or as a short burst of guidance using a consultant. But getting that help can be a project in itself. How do you find the perfect fit?
Businesses get accreditations to show they have met a certain standard within a certain area or sector. Some accreditations include CHAS (health and safety), Data Security and Protection Toolkit (Health and Social Care), PQASSO.
The Data Security and Protection Toolkit is a self-assessment that shows commissioners and CQC that you have met a certain level of compliance in data protection.
One of the hardest parts of getting accreditation is to decifyer what they are looking for and then collating it all.
Getting material together for an accreditation can be difficult and time-consuming.
We work with a business to work through the accreditation instructions, identify what documentation you need and collating in a logical way ready to submit.
We breakdown what the accreditation requirements into;
We will even help identify what material is missing and support you to create AND implement it in the organisation.
We can not guarantee accreditation, as this is based on the answers and information provided by the businesses. Unfortunately, we can’t get accreditations when information and material is not there. BUT we can work with you towards gaining accreditations.
If you would like to know more, book a free 30 minute chat to see how we could support you best.
Data protection is all about the rights of an individual and the systems you need to have in place to comply with the requests that, sooner or later, you will be faced with from the people whose data you may hold or process.
Knowing what those individual rights are will help you to recognise a request when you encounter one. It will also be a big help when putting the policies in place to deal with them within the required time. Familiarity with these eight key rights will also help you record the requests you receive and recognise the importance of handling and transmitting the data safely and securely.
Here is a breakdown of the rights of an individual regarding data:
The collection of a person’s data and its subsequent use are things they have a right to be informed about. It’s important to provide the following things:
Everyone has the right to access their personal data and other supplementary information by making a ‘subject access request’ (SAR). This request can be made to you verbally or in writing by the person themselves or a third party acting on their behalf.
Sometimes, data held are inaccurate or incomplete; an individual has the right to have it rectified.
The right to be forgotten is one that everyone has, although there are certain extenuating circumstances when not all data can be deleted. This might be as a result of other legal regulations and reasons.
Whether restricted or suppressed, in certain circumstances, an individual does have the right to allow you to store personal data but not to use it.
As the name implies, data portability gives a person the right to obtain the personal data you hold about them and reuse it for a different service. That might help them find a better bank, a different GP or a cheaper energy supplier.
The right to data portability applies only to information that has been given to a controller.
Everyone has the right to voice objections to their data being used for direct marketing. However, under certain circumstances, companies can continue processing data if a compelling reason to do so can be proven.
Automated decision making and profiling eradicates the human element from decision making and evaluating certain things relating to an individual and their data.
For more detailed information relating to the individual’s rights and how you and your business can be fully compliant, visit The Information Commissioner’s Office website, where there is a dedicated breakdown and checklist for each.
Alternatively, reach out via my site for the help and advice of a GDPR specialist.
We know that GDPR is unavoidable for businesses of every size and scope. We also know that the requirements are considerable, and at times they can even feel overwhelming.
Don’t worry. Help is out there in the battle to understand exactly how you and your business will navigate a smooth path towards compliance.
Each of the principles is worthy of a deep dive in its own right, but for now, let’s have a brief look at each. What they involve and how they can help you to process data safely, securely and legally.
Remember, these are set out at the start of the legislation itself to help organisations and the people who run them to make the decisions. They will also enable you to put the practices in place that will embody the spirit of good GDPR practices.
This principle may seem self-explanatory; it basically requires that the practices you use to collect data don’t break laws. This requires a sound working knowledge of GDPR to adhere to, though, to achieve the principle’s intended goals of ensuring nothing is hidden from data subjects, stating the type of data collected in your privacy policy and the reasons for its collection.
Data has to be collected for a pre-defined and specific purpose and only for as long as necessary for that same purpose.
When it comes to personal data, only process that which you need.
GDPR expects that every reasonable step is taken to ensure the accuracy of data. If that isn’t the case and processed data is inaccurate, then erasure or prompt rectification is vital. Individuals have the right to request it.
Another important aspect of GDPR compliance relates to safely and securely delete data that is no longer needed. How do you know when that is the case?
When does a customer stop being a customer? When is data relating to a former employee, business partner or freelancer considered obsolete?
These are complex questions, and the answer will vary depending on an individual’s industry and the reasons for the data itself. To be sure, and allay any doubts, consult a professional.
Data must be processed in a way that guarantees its confidentiality and integrity. That includes things such as accidental loss, theft or partial destruction. This principle is intentionally vague to allow for changing technologies and evolving methods of best practice.
Many organisations look towards encryption, cloud-based services and staff training to fulfil these criteria.
All these principles should lay the foundation for the general data protection regime and always inform a solid GDPR policy.
As a certified Data Protection Officer, I can offer the help and support you need to ensure you and your business follow the principles underpinning GDPR compliance. You can send me a message, live chat or request a call any time. I’d love to help!
When it comes to GDPR, even a short title such as the one above can provoke a range of questions…
What is the definition of processing?
What are the lawful ways of processing?
How can I make sure I’m complying with them?
What data does this even apply to..?
Relax and take a breath, if you’re concerned, then that shows you care and on your journey towards compliance and GDPR best practice, you certainly aren’t alone. I deliver help and support to businesses of every shape, size and flavour weekly, to help them process their data lawfully.
There has to be a lawful basis for processing personal data, the good news is there are just six to choose from and we will look at each a little more closely to help you understand the basis on which you process yours.
But first: What on earth constitutes processing?
From a GDPR point of view, processing refers to any single operation (or set of operations) that are performed on personal data.
If you do any of the following, then you are processing data:
As a rule of thumb, if you are unsure, assume that you are processing personal data, because 99.9 times out of a hundred, you always are.
And if you are, then you need a lawful reason to do so, this is one of the most important principles which underpin data protection.
While no single one of the lawful bases for processing data is better or worse than the other five, the one that applies to you or your business will be informed by your purpose and the relationship you have with the person or people with who data you process. It is important to identify which applies to you.
It has to be determined and documented before you process anything, The Information Commissioner’s Office has this handy online tool to help with that.
The six lawful bases are as follows:
If the processing of data is necessary for the legitimate interests of you or a third party then this basis will apply. Remember though, if there is a good reason to protect an individual’s data then that may override those legitimate interests.
This basis applies if the data processing is vital for a task that is clearly in the public interest or part of an official function with a clear and present basis in law.
The basis that really means what it says, vital interest revolves around processing data that is necessary in order to protect someone’s life.
Some forms of data processing are necessary for you or your business to comply with the law; if that is the case then your basis is one of legal obligation.
If data processing is necessary due to a contract that exists between you and an individual, or they have asked you to undertake specific steps prior to entering into a contract, this is a lawful basis for processing their data.
If you have clear consent from an individual, to process their data for a specific purpose, then consent is your lawful basis for doing so.
Sometimes, your own lawful basis for processing data may be obvious, but sometimes not and this is important to get right the first time and ensure it is demonstrable. You may have more than one purpose for example or your circumstances and reasons for processing data may change over time.
Those are the occasions when the services of a GDPR specialist can really make a difference, if you need help and advice around this, or any other aspect of GDPR compliance then get in touch.
Data Protection is not something new. It goes back to 1948 and The Universal Declaration of Humans Rights. It has come a long way since then, most notably with GDPR. These were agreed upon by the European Union back in April of 2016 and came into force in May 2018. In the UK, GDPR was enshrined in the Data Protection Act 2018.
Knowing exactly what GDPR is all about, why we need to do so, and why it is important are all a big deal because if things go wrong just once, it’s already too late…
Basically, it is the umbrella term for the set of legal requirements that govern how we handle people’s information. That information might be personal information such as cookies, names, addresses and other contact details. It might be sensitive information, such as ethnicity, medical history, sexuality or even credit card details. General Data Protection Regulations cover both digital and hard copy information.
To put it simply, it’s the law, and we need to understand it to ensure that, (much like every other legal requirement), we know and can demonstrate we are doing things the right way.
For many, Brexit has caused some confusion around the steps they need to take for continued compliance. It’s essential to remember that the Data Protection Act 2018 encompasses GDPR and stretches way beyond the EU borders. If you are UK based and dealing with EU clients or businesses, GDPR is just as important as before.
Post-Brexit, UK data protection laws still incorporate all the key elements of GDPR, meaning that for businesses. The expectations are much the same as before. Understanding the legal requirements and doing things the right way can carry a range of benefits for your business, such as:
Integrity and confidentiality are vital for data security. Having the measures in place that prove good physical and technological security levels go a long way towards demonstrating compliance. It can also foster a positive and forward-thinking culture that can drive your business forwards.
Good data compliance can also drive efficiency. It prevents organisations from effectively hoarding more data than they need by ensuring they collect only relevant information for its intended purpose.
Businesses can also demonstrate the provision of the legal rights for employees, clients and individuals (data subjects) concerning:
We can see GDPR hasn’t gone away. In fact, post-Brexit and with so many of us working remotely, in an ever-changing business world these days, it’s become more relevant than ever.
If you have questions or concerns about GDPR compliance, I can help put your mind at ease or work out the answers.
Let’s work together to ensure GDPR compliance in your organisation.