Inspiring Business by Sharing Success

Nottingham’s Russell Scanlan prepares SMEs for GDPR

Changes to the law surrounding data protection hit in just three months and businesses could face fines of up to four per cent of their turnover or 20m Euros (whichever is greater) if the new rules are breached.

Operations Director at Nottingham-based independent insurance brokers, Russell Scanlan, Andy Jenkins, explains how it is vital that SMEs take note of the upcoming changes to how to collect, store and use data and has produced a step-by-step guide on how to prepare for them.

He said: “With GDPR only a few months away, many businesses are allocating staff or even appointing dedicated teams to deal with the changes. To start, each company should immediately focus on and identify what personal data the business holds and if it holds any special categories of personal data i.e. Sensitive Personal Data or Data on Children.

“The business should then work on the 5 W’s of GDPR: where is the data coming from/ stored/ transferred to, what the data is, who has access to the data, why the business holds the data and when the data was gathered.

“Based on the answers to the 5 W’s, the business should then devise a Data Protection Policy, which should define the terms used surrounding data, the reasons the business will use for holding personal data, its data retention policy, aspects surrounding data security and who has access to the data.

“Next, the company should establish a Data Security Policy and consider using external consultants to undertake network penetration tests and seal any gaps in its IT network’s security - not forgetting the use of any portable devices, which if they hold personal data should be either password protected or encrypted. Don’t overlook the physical security to the building in which data is being stored either.”

Andy added that undertaking comprehensive GDPR training within the business will ensure that all staff have an understanding of the impact of GDPR and their personal obligations and explained the importance of appointing a Data Protection Officer within a business.

He said: “It’s essential that marketing teams have the correct consents in place to continue to use any data they hold for marketing purposes and have a robust procedure in place to evidence the consents required to use data. Make sure this is auditable.

“Also, ensure any third party, with whom data is shared, has a robust approach to GDPR and if they are outside the EEA have the necessary permissions and safeguards in place. Every business should also ensure it has a robust policy to cover any Subject Access Requests made by data subjects and should devise a data breach policy and be mindful of the timescales in relation to notifying any breaches to the ICO.

“And finally, consider appointing a Data Protection Officer, or at least someone who is responsible for data related issues within the business and document everything. Remember that the ICO will ask for evidence of your approach to data in the event of a breach.”

If you need further advice about how to prepare for GDPR, contact Andy or a member of the Russell Scanlan team on 0115 947 0032 or email [email protected]


< Back