With GDPR now active across the UK, it’s crucial your records are in line with new rules. FWD gives its advice to staying on the correct side of the law
Carry out an information audit on all the data your company holds and what it’s being used for. You’ll need to check the type of personal information you hold – both in computer and paper records – on your customers and staff. It’s important that you know where you got the information from and that you have clear permission on record about how you can use it.
Identify your legal basis for holding and using the data you have on file. From now on, you will need records that show all your customers have consented to receive marketing messages from you, including leaflets, emails and texts.
If your legal basis for sending messages to customers is that they are of legitimate interest, you must explain this use of data. Make the explanation public for people to access and read. If you do this, make it easy to understand and not buried in legal language.
Update your privacy policy to include the new measures required under GDPR. Some of the new regulations’ concepts and principles are different from the previous Data Protection Act, so it’s important that every company – however big or small – addresses the changes.
Make sure you have procedures for deleting data if you’re asked to, making somebody’s data available to them upon request, preventing and reporting data breaches, and carrying out Data Protection Impact Assessments.
You may wish to appoint a Data Protection Officer to look after GDPR compliance. In some cases, this is a legal requirement – in others, it’s just good practice.