A year has passed since the biggest change to data protection laws in Europe for more than two decades came into law.
On May 25, 2018 the new General Data Protection Regulation (GDPR) came into force. It was a move designed to make companies more accountable for the data they hold. The regulations themselves supersede the Data Protection Act (DPA) of 1998, which was created long before we witnessed the data revolution sparked by the mass use of the internet. The DPA rapidly became outdated, unfit for purpose and unable to cope with technological development. As such, the aim of GDPR is to give individuals more control over their personal information as well as simplifying and modernising the protection of data.
And it’s GDPR that brought data privacy to the public's attention alongside recent data breaches related to large companies like Facebook. But data protection has always been a top priority for any serious business dealing with large amounts of sensitive data. With data becoming an increasingly important commodity, and with the amount of data being processed growing by the day, data protection is receiving more attention.
Many business undertook a huge body of work to prepare for GDPR and viewed the date the regulation came into law as being the end of the project. Nothing could be further from the truth. Data protection, and staying compliant with GDPR, requires constant work.
Here’s the key things you should consider in order to stay compliant with GDPR:
1. Most importantly, every business controlling and/or processing personal data needs to fully understand and appreciate that they are entrusted with handling highly valuable assets (personal data). It is therefore key to understand basic data subject rights. The personal information that makes up your data belongs to the data subject, it belongs to them, treat it with respect.
2. Following this insight the business can (and should) create and enforce controls to protect these assets throughout the entire business. It is important to understand that data security, access control is not enough - it’s important for everyone in the business knows what part they play in protecting data.
3. Test your reporting process in the event of a problem (e.g. internal breach escalation and subject access requests).
4. Have the correct policies and procedures in place and ensure all employees and suppliers have understood them.
5. Train your staff to understand and identify data risks.
Most workforce management systems on the market are going to store different amounts of personal data about your employees. That’s why it’s imperative you understand how this data is stored and protected. Here’s what we do at Quinyx:
In summary (and in order to avoid hefty fines which can come if you’re business isn’t compliant with GDPR) you firstly need to ensure everything you do internally is ‘by the book’ and documented, communicated to your staff, and tested.
Secondly, when working with external suppliers like a workforce management provider, you need to be certain of their own process and the measures they have in place to safely look after your data.