Do you know what level of data protection risk your business is accepting? Creating the mandatory records required to comply with UK GDPR empowers business owners and managers to identify and manage data protection risk. Once you know exactly what personal data is being processed in the business you can act to:
- Reduce excess personal data to minimise risk
- Secure personal data relating to vulnerable groups, vulnerable data sets, and data in vulnerable systems
- Re-engineer processes to build in data protection by design.
Knowledge is power but only if you act on it.
Data protection failings put the organisation, its directors, managers and employees at risk as well as its data subjects. The risks to the organisation are:
- Bad PR
- Loss of client/customer trust
- Erosion of competitive advantage
- Potential for regulatory action – responding to enquiries, Enforcement action, monetary penalties
- Potential for legal action by data subjects, claiming damages in class actions since GDPR
- Negative effect on employee morale
- Tying up management resources to manage the incident and ongoing fallout
In a personal data breach scenario the data subject potentially risks:
- Identity theft and
- Fraud leading to
- Financial loss
- Emotional stress
- Unwanted publicity if even one person accesses information without proper authority
- Loss of trust in the author of the disaster – your business!
- Time and cost managing the fallout from the incident
Would it not be better to understand what risks are present in current data processes and manage them better? The point about risk is that identifying it allows you to move on to manage it, to avoid it where possible and to mitigate and reduce it where it cannot be avoided. Peace of mind comes from knowledge of where you stand and a willingness to improve the situation not from fear of the unknown.
For example, many businesses fail to implement a good Data Retention Policy setting data retention periods to weed out the records that are no longer required. The risk exposure on twenty years’ worth of records is greater than on seven years’ worth. The organisation needs financial records for seven years for tax and accounting purposes, after that period they should be deleted. That leads to an immediate reduction in risk.
Another example: only data that is relevant to the purpose for which it is processed should be collected and held. The day of the “little black book” to keep a sneaky record of family, hobbies and personality traits of individuals you do business with is long gone. That information is not relevant and in fact, dangerous to hold. What grounds are there for holding details of family, children’s names and ages? There are none in a business context. What information do hobbies reveal? Train spotting, attending church or mosque, playing golf but needing a golf buggy due to….? Knowing that someone is a decision maker or that someone else is a prevaricator might only be your opinion but it is still disclosable if the individual makes a subject access request to see the records you have kept. Hopefully no one keeps that kind of little black book any more but it illustrates the point! Without the irrelevant material the risks relating to holding children’s data, potentially special category data around religion, ethnicity, health etc are avoided.
And a security example: security is a key part of data protection. Not just the obvious security for data in the office, home or cloud but the technical aspects around using third party service providers used by the organisation to process data on its behalf. Checking the security arrangements of service providers is the responsibility of the data controller. If records do not show what data processing is outsourced, to whom and where they are located how will you check that contracts are in place and due diligence carried out as necessary?
Keeping your mandatory processing records up to date should be as easy as transferring over the information from DPIA risk assessments relating to new projects and changes to existing processes. It is the same process to assess the risk in a set of existing records and the risk in a potential new set of records.
So, it really is that simple. Work out what personal data your business processes and create the mandatory GDPR records then reduce risk by avoiding those that can be avoided and mitigating those that cannot be avoided. Let your records inform compliance activity going forwards. If you need assistance creating the mandatory GDPR records or working out the business’ ongoing compliance plan, contact us. We would love to help.
Mandy P Webster, Data Protection Consultant