While there’s a lot of helpful information out there about the General Data Protection Regulation (GDPR), at FreeAgent we’ve found that speaking to people and sharing knowledge has been the most valuable tool in preparing for the new legislation.
There are lots of great resources available if you’re just starting out on your GDPR journey, but the ICO website is the best place to get up to speed on the basics. If you are comfortable with foundations of GDPR, read on for some of the key learnings we uncovered on our compliance journey, along with some top tips you may find helpful to apply in your own practice.
These observations are based on our own interpretation of GDPR, which may or may not be applicable to your own business. This article should not be interpreted as legal advice.
1. Assess and audit your systems and processes
Take stock of your current situation and clarify your position under GDPR. This includes determining if and when your business is classed as a data processor or controller and deciding whether you need to appoint a Data Protection Officer. Thoroughly auditing your current processes will give you a clear foundation to improve upon. We found it helpful to break our audit down into business functions, for example new client or employee onboarding, anti money laundering processes, or bringing in new marketing leads.
What we learnt
In order to help us to look at our data from every angle to build a full picture of its journey through the business, we made sure to ask ourselves questions such as:
- WHERE is data coming into the business and where does it go?
- WHAT data are we capturing at each point?
- HOW do we process data and keep it?
- WHY are we using this data?
2. Analyse the potential risks
Once you have completed your audit, you should be able to identify any potential danger points, both physical and digital. For example, whether there are opportunities for sensitive information to leave the premises, or for data sent via personal email or instant messenger to be intercepted.
What we learnt
Risk analysis is a great opportunity to uncover opportunities to streamline data and clear the decks of any excess information that’s bogging you down. You may be able to find ways of working more efficiently and save on valuable online or physical storage space - we cut out the paper filing of our personnel records and moved this securely onto the cloud.
Some areas may not present an immediate compliance hazard, but could pose a longer term risk to your business. For example, if you are using physical files and someone exercises their right to view a copy of the data you hold on them, you may suddenly have a lot of extra work to do to pull all your data sources together. Additionally, if you are holding data that is not necessary, or hold on to data for longer than needed, this could pose a problem if you are audited.
If you use third-party systems for processing data, you should make sure that they are GDPR compliant, and find out whether they can help you to meet your own compliance obligations. For example, FreeAgent makes it easy to for you to respond to the rights of individuals whose data you process through updates to the application.
3. What do you need to update?
Having gone through your audit and identified risks, you should be in a good position to make a plan of action. Every business will be different, but some common areas are:
Depending on how you decide to process your marketing post May 25th (the GDPR compliance deadline), you may need to update any online and offline forms to allow people to opt out of marketing.
What we learnt
Experimenting and testing different wording and designs on your forms can positively affect the number of people signing up to your marketing. We found that giving a choice of a yes or a no box to tick rather than a single opt in tick box encouraged higher engagement levels, however it may be different for your business.
Check that you are storing your employee’s data in the right place and only keeping information that is relevant to carrying out your company’s obligations as an employer. Consent is not a quick fix here, as an employer could be seen to be in a position of power. Minimising the data kept, how long it is kept for and who has access to it are all best practice.
Policies and contracts
Data access and deletion
If a client or previous employee wishes to exercise their right to be forgotten, how will you go about this? Updating your systems to understand what you can and cannot get rid of, and knowing how fast you can achieve it will be beneficial.
What about a data breach?
If a breach does occur, you have 72 hours from the time of discovery to report it to the ICO. Documenting a process for this will help relieve stress at what is likely to be an already difficult time and will help give staff a structure to follow - especially if you are not there at the time. Preparing a holding statement may also be a helpful precaution.
4. Communicate, communicate, communicate!
Clarity and transparency are fundamental to GDPR. Make sure your whole team understands your obligations as a business and their contributions as individuals. GDPR is about building a ‘culture of privacy’, and this may require some internal education.
Communicating any changes in a confident and clear manner to your clients can also really enhance your position as a trusted advisor and market leader.
What we learnt
There may be an opportunity to use what you have discovered to help your clients. They may have GDPR questions of their own, particularly if they are small business owners who process other people’s details. Offering them reviews of the impact of GDPR on their financial data may set their minds at ease, whilst presenting a potential business opportunity for you.
5. Record it and don’t forget it!
You’ve done a lot of work to stay compliant - make sure you don’t lose track of it! Recording your journey to compliance, detailing your decision-making and the outcomes of any legitimate interest tests, for example, are all valuable pieces of information to help evidence your own journey towards compliance.
What we learnt
Putting individuals’ data rights at the heart of your business is more than a one-off exercise. As systems change, technology advances and teams grow, exposure to compliance risks can also increase. The ISO 27001 is the gold standard for data security, but working towards SME-focused qualifications such as Cyber Essentials can offer a more manageable framework for data security, while differentiating your business. We have taken the opportunity to build regular audits into our way of working in order to limit future risks and identify new opportunities down the road.
GDPR is not a deadline, it’s a culture change. Building compliance into the fabric of your business on an ongoing basis is the only way to truly embrace the ethos of the legislation. Regular training, auditing and data purges, along with continually updating documentation is the best way to ensure your business is in the strongest position for GDPR.
FreeAgent is an award-winning online accounting software solution for small business owners and their accountants. Get in touch to find out how FreeAgent can support you and your clients.
- Call: 0800 025 3900
- Email: firstname.lastname@example.org