The EU General Data Protection Regulation is there to protect us all from most of the private data abuse out there on and off the web.
As a business we have to ensure that we are treating people fairly by how we access and use their data.
Some simple steps we need to take are:-
- Create a data protection compliance folder for your company, physical or computerised. This is where you will hold the basis of your compliance.
- Maintain notes for all meeting and decisions based on GDPR.
- Name the data protection officer for your company. (Often yourself)
- Identify and categorise all the ways in which your business collect information on individuals.
- Record the lawful reason for processing each of the categories.
- Ensure full consent for each piece of data is obtained and maintained.
- You will need policies for both data subject access requests and data erasure / correction requests.
- A retention schedule and data destruction policy will be needed.
- Lock away your data.
I would suggest that you do your own due diligence here as this is not a lesson in GDPR and I am not a lawyer. This is just a primer to get you thinking about how you obtain, maintain and dispose of personal data.
For more information please visit: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/