We all know by now that GDPR is about personal data but what does that mean to your business?
Personal data is information that identifies a person. Yep, that sounds straightforward enough. However, the regulations throw in this ‘directly’ and ‘indirectly’ curved ball making it more complicated.
We would all agree that a name, address, email, telephone number are personal data that directly identify a person. Not much disputing that.
But what about say a customer number or a payroll number? These are defined as pseudonyms by the Information Commissioners Office (ICO) that has prepared the framework for GDPR compliance. The IOC says that ‘Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.’.
So this is a bit grainier. However, to comply with the Regulations, it would be wise to include it as personal data. If you have any systems that identify IP addresses (the unique string of numbers that identifies each computer using the Internet), this would also be classed as indirect personal data.
So how can small businesses start to make sense of this personal data maze? Here a few actions you can take to help you on your way.
1. LIST THE DATA YOU HOLD AND WHERE YOU STORE IT
A good place for small businesses to start when considering their plan of action for GDPR compliance is to list all of the personal data it holds and where that data is stored.
Remember that the Regulations also apply to both digital and hard copy data.
2. WHY DO YOU HOLD THIS DATA?
3. WHAT IS THE RISK OF HOLDING THAT DATA?
Now you have thought about the data you hold, why you hold it and where you hold it you need to think about how this data could be breached.
What could happen that could mean the data you hold got out into the public domain?
There will be a limited number of ways this could happen such as;
- human error (e.g. a mistake such as sending group emails with visible addresses)
- firewall hack (e.g. professional cyber criminals)
- internal hack (e.g. disgruntled employee, sales employees working their notice)
- lost laptop, phone, diary or device
- Crime, e.g. burglary, theft
- Industry-specific threat
4. WHAT ARE THE CHANCES OF THESE THREATS HAPPENING?
Ok, now you are ready to think about the ‘what if’s’?
5. IF IT DOES HAPPEN HOW BAD WILL THE IMPACT BE?
Now you need to decide what the impact would be if the threat became an eventuality.
6. HOW CAN YOU REDUCE THE RISKS?
Now that you have thought about your data, why you have it and how it could be breached you need to think about what you could do for each piece of data to reduce the likelihood of the risk. For example, to minimise firewall breaches, you could implement a website maintenance and protection package and increase the stringency of staff passwords. For the possibility of an internal hack, you could apply a clear desk policy or consider imposing garden leave for sensitive data positions.
7. HOW DOES THIS HELP ME COMPLY WITH GDPR?
By following the above steps, you are showing that you are evaluating and managing the information that you hold. This is step 2 of the ICO’s 12 Steps to Preparing for the GDPR https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf