GDPR for small businesses – ICO first audits
The GDPR is now one year old and the Information Commissioner’s Office has been monitoring adoption by businesses across the UK. As companies large and small get to grips with their new data privacy requirements, it’s understandable that not every business will get everything perfect the first time around.
When even the ICO admits its website cookie policy doesn’t fully conform to GDPR, small business owners can feel comforted if their data privacy policies haven’t been fully hammered out just yet. However, while the ICO doesn’t intend to come down hard on businesses clearly trying their hardest, the onus of responsibility is still on the business to protect data held and transferred by any employee, so ensuring all bases are covered will be vital as the implementation period comes to an end.
That being said, the ICO has begun releasing its first round of GDPR audits for businesses, highlighting a couple of key areas that small business owners may find particularly of interest.
Storing and deleting data
All data which can be used to identify the subject, such as social, political, health and economic information, is protected under the GDPR. This means, if your business manages any of this kind of data, you are required to inform your customers of how it will be stored and what assurances you have in place for how it will be protected.
GDPR also outlines the amount of time data can be stored on any subject, with different time requirements for different data. Knowing these requirements and how they relate to your stored data will be a vital part of your data disposal practice.
Data must be stored safely and disposal must be fully compliant. Removal of files should usually be enough should the device still be in use as the data will be written over. When disposing of devices such as laptops, hard drives and USB sticks, a more rigorous disposal process will need to be followed to ensure data is impossible to recover. This will typically involve the data being wiped, the drive being scrambled and then the hardware shredded.
Disaster recovery plans
Computers experience a hack attempt every 39 seconds, meaning that data breaches are less of a ‘when’ and more of an ‘if’. As part of a comprehensive data privacy strategy, business owners will need to have a disaster recovery plan in place. This will include notifying customers potentially affected, tackling the breach/security concern and mitigating the amount of data compromised.
GDPR requires that the ICO is made aware of a data breach within 72 hours of discovery and the organisation then must notify affected customers as soon as possible. Laying out the plans for how the ICO and relevant individuals are notified and who is responsible will help streamline the process in the event of a breach and help avoid reputational damage from a late breach report.
Denial of service and ransomware attacks are some of the most common suffered by businesses so having strong data backups and cyber insurance will reduce the amount of data lost to hackers and will keep business running as usual.
Subject’s right of access
The GDPR now also means all EU subjects have the right to be forgotten, meaning a business will need to remove all data held on them and dispose of it correctly if they are asked. Subjects can also request a business send them all the information they hold on them at any time. If this kind of request is made, you will have a month to organise the data and send it to the subject.
This is another process that small businesses should make a plan for just in case this situation ever arises. Having to gather the relevant data and report it all within compliance can be a difficult task in a small operation so outlining the process and storing it for the future will help avoid any unexpected issues.
Recording data processing procedures
An ICO audit will involve looking at all the data processes a business undertakes and also reviewing how compliance is monitored at any given organisation. While you and your staff may understand GDPR and work to stay compliant at all times, if you have no records of the data storage, this could be an issue during an audit.
The ICO expects that all businesses know how they need to store data and have detailed records of their storage processes, risk assessments and the reasoning behind the data storage. You will also need to have evidence of consent for all data gathering activities from each subject involved.
Monitoring supply chain security
The transferral of data across businesses in a supply chain is particularly vulnerable as the security requirements for each business may vary and transferral channels may be susceptible to interception. Many large businesses now expect all businesses below them in a supply chain to hold the same security practices to ensure they are protected in the event of a breach.
Having strong security practices at your small business could make it more desirable to potential clients and will help you build a reputation as a reliable partner. Similarly, if you work with businesses below you in the chain, holding them to your security standards is an important way of ensuring no harm is done to your reputation due to the mismanagement of data at any point in the chain.
Overall, GDPR adoption has been strong; both businesses and consumers have more confidence in their data privacy thanks to more rigorous restrictions. However, more will need to be done to ensure that all businesses are fully compliant and these recommendations are good ways to ensure that the ICO is satisfied should they choose to pay your business a visit.