With fewer than 100 days to go before the General Data Protection Regulation (GDPR) comes into effect, it really is crunch time for businesses that haven’t started planning.
The GDPR aims to unify privacy laws across Europe, and protect the data of EU citizens. This means that, for any businesses holding data of European citizens, whether they be customers or employees, they must adhere to the GDPR, or face the penalties. In other words, Brexit is not a get-out clause.
With such a big change on the horizon for small businesses across the country, Real Business will present a few case studies on how others have approached the task of becoming GDPR compliant. First up, we spoke to Jo Sellick, MD of Sellick Partnership.
Established in 2002, Sellick Partnership is a professional services recruitment firm providing recruitment solutions to the private, public and not-for-profit sectors. Its consultants operate nationwide from offices in Manchester, Derby, Liverpool, Leeds, London, Newcastle and Stoke, providing both employers and jobseekers with a full recruitment service.
What is your current approach to holding customer and employee data?
We place great importance on the safety and security of our customer and employee data. All data is stored in state of the art database systems running on multiple servers housed in our onsite air conditioned and secured data centre. An encrypted copy of all data is also stored offsite with changes to onsite data replicated each night.
Access to the data is controlled and restricted by UTM (Unified Threat Management) firewalls which deploy DLP (Data Loss Prevention) policies and scan all traffic for viruses. We are also fully prepared for the requirements laid out by the forthcoming GDPR regulations and our internal procedures meet the stringent requirements of our ISO 9001:2015 certification.
When did you first hear about GDPR and what were your first impressions?
We heard about GDPR early on in the process and I welcomed this change in legislation. However, the guidance initially provided was inconsistent and confusing. It was therefore important for us to break this down, and ensure we understood each part so we were prepared to discuss the changes with our clients and candidates.
What steps have you taken to make sure you are GDPR compliant?
Our ten-step action plan is:
(1) Elect a GDPR project team. This team will have overall responsibility for compliance with the new legislation and will be the point of contact for information requests from individuals and the Information Commissioner’s Office.
(2) Develop an internal communication plan to ensure everybody in the organisation has a clear understanding of the principles of the GDPR and what our internal policies and procedures are to protect personal information.
(3) Carry out an information audit – documenting all current processes, data flows and storage points of personal information.
(4) Identify our lawful basis for holding and processing the personal information of our candidates and own employees.
(5) Update our Data Protection Policy, Privacy Statement and Processing Notice regarding to ensure it complies with the new regulation.
(6) Contact everyone in our supply chain involved in processing and storing personal data to ensure they are correctly complying with the legislation.
(7) Ensure we have a robust process in place to allow personal information to “be forgotten” on request.
(8) Cleanse all personal data from storage that we have no lawful basis to hold under the new legislation.
(9) Develop a procedure and plan how we will handle information requests and data breaches within the new timescales set out by the GDPR.
(10) Review, monitor and continuously improve our processes and procedures around personal data.
What do you think are the pitfalls for small businesses when it comes to GDPR?
It is crucially important to ensure businesses have a plan of action to deal with information requests and data breaches within the required time constraints. This is an area I feel many small business may neglect to spend time on. I would hope we never need to use this plan but as the timescales are so tight you need a plan of action as a precautionary measure.
What would your advice be to any small businesses feeling panicked by GDPR?
My initial advice would be to try to not panic. It is important for companies to remember that although the new regulations are daunting, there is still time to become fully compliant. I would also advise all business leaders to attend sector specific seminars and to take as much advice as they possibly can. It is crucial that before you begin and ultimately your business specifically.