GDPR and The Managing Director
This Month: The Managing Director…
Welcome to the first post in our series of professionally-themed insights for 2019.
Each written with a specific profession or role in mind, they’re packed full of helpful ponderables, tips and advice to make the GDPR work for you in your everyday 9-5.
This month, we’re covering the accountability need-to-knows, good-to-knows and no-nos (!) for all you Managing Directors, co-founders and business owners out there.
We hope it makes your GDPR life that little bit easier.
Dear Managing Director / Co-Founder / Business Owner…
It’s okay. We understand.
We know what it’s like trying to run a successful business, keep everyone happy and still have time for all the other work and finer details that come with the job – let alone all the GDPR stuff to remember!
That’s why we’re ideally placed to help you make the most of the GDPR in your role as numero uno, and to ensure that you’re on top of its most important aspect: accountability.
So, whether you need some basic pointers, a gentle prod on how to be more compliant or explicit direction on what not to do, here’s a new-year-helping-hand from us to you…
Some Key Questions
Okay, first things first and we’re going to jump straight in:
- Since you’ve been running the business, what have you done/are you doing to build the right GDPR culture and show accountability?
It’s a key question because, as one of the main data protection principles, accountability is all about taking responsibility for what you do with people’s personal data and showing that you comply with the regulation’s other principles too.
Accountability also involves having appropriate technical and organisational measures in place as part of good practice and needs to come from the top… So, yes, that means you! (And particularly if you also happen to be the data controller.)
Knowing that, then – try this:
- Which of the following ICO-recommended measures have you put into practice?
- Adopting, documenting and implementing data protection policies.
- Maintaining documentation of your processing activities.
- Having written contracts in place with organisations that process personal data on your behalf.
- Implementing appropriate data security measures.
- Recording and (where necessary) reporting personal data breaches.
- Carrying out Data Protection Impact Assessments (DPIA) for uses of personal data likely to result in high risk to individuals’ interests.
- Appointing a data protection officer (DPO) for any large-scale processing.
- Adhering to relevant codes of conduct and signing up to certification schemes.
These measures should involve clear and up-to-date data mapping of all your processes, systems and information; undertaking appropriate due diligence and formal contracts with any third-party processors; and installing robust, precautionary measures to ensure that data protection really does mean protection!
Hopefully, this will have minimised your risk and prevented any data breaches to date, but it’s also worth considering what future contingency planning you should have in place should one occur.
It may be that you’ve already experienced a data breach; in which case, what did you learn from it and what do you now do differently? (It might have been something as simple as forwarding an email to the wrong recipients and since incorporating a routine double-check before now hitting send.)
Or, following on from these, how about:
- Overall, what sort of training do you provide your staff with, and how up to speed are they with the GDPR?
If you really want to achieve true accountability and company-wide compliance, then everyone in the business needs to get why safeguarding others’ personal data is so important; and, also, why it applies to all and not just the chosen few.
Adopting a privacy management framework as part of a ‘data protection by design and default’ approach will help you do this.
By laying on training and awareness programs and developing internal guidelines for employees, you’ll give yourself the best possible opportunity to get everyone on board and create a respected privacy culture across the business.
- Under the GDPR, the principle of accountability goes hand-in-hand with demonstrating compliance.
- Proactive compliance starts at the top and needs everyone’s buy-in.
- GDPR accountability shouldn’t be approached as just a tick-box exercise – it’s an ongoing process that continually needs to be monitored and updated.
- Conducting regular internal and external audits is a good way of showing what you’re doing well and identifying any areas for improvement.
- If possible, it may be worth considering appointing a DPO.
- Subscribing to an industry code of conduct is another way (although not obligatory) to show compliance and that you’re taking accountability seriously.
- Being accountable can help you build credibility and trust and may help mitigate against potential enforcement action.
And whatever you do, please…
- Don’t dismiss GDPR or not find time to take it seriously.
- Don’t hope that GDPR will go away. It won’t!
- Don’t put off asking for help if you need it…
Help and support is only a quick email away
It’s often said that it’s lonely at the top (Bonington? Christmas fairy?), usually because there’s no one to turn to for support when you need it the most.
That’s what we’re here for.
And however far you are with GDPR – whether you’ve not really started yet or feel like you have most of it covered – there’s always more to do.
It’s also said (by Confucius, probably) that: “The man (ahem, woman too) who moved a mountain started with a small stone.”
It’s all about taking the right-sized steps. So, if you need a hand or would like us to help you with a compliance check, get in touch. (We never judge – only help!)
As well as our pen, notepad and a head full of GDPR bright ideas, we’ll even have a wheelbarrow on standby.
Next month in GDPR and The Professional: The HR Manager…