From your customers to employees and suppliers. You can count on us to keep them and your business safe.
The GDPR applies to all businesses that collect or store sensitive information, regardless of company size.
Coming into effect in May 2018, the GDPR requires organisations to not only be transparent in their reasons for collecting sensitive customer data but also ensure that this data is stored securely and responsibly.
Short on time? Click here to download our Easy Guide To GDPR Compliance which includes everything you need to know to start your business' data security and compliance journey.
If your organisation holds any of the pieces of information about its customers, it is required to adhere to the GDPR or face a potential fine.
But the UK is no longer in the EU?
The UK has now implemented the UK-GDPR which follows the same set of policies outlined by the EU-GDPR. If your organisation processes information from EU customers, it is now bound by both sets of regulation.
In order to be GDPR compliant, your business must adhere to one of six legal bases. These legal bases outline your reasons for collecting, processing and storing sensitive information.
One of the bases you may already be familiar with is consent. While this may seem the easiest option, maintaining consent can prove difficult, in addition to requiring strict record-keeping and giving users the ability to withdraw information at any point.
It is advisable then, to review all of the lawful bases and decide which one applies best to your business:
The ICO has published a three-part test you can take to determine whether there is a legitimate interest in processing this sensitive data.
To summarise, it is important to review each of these bases in detail to determine which one applies best to your business. Additionally, take note of what record-keeping practices you'll need to implement to remain compliant.
Keeping track of your processing activities is an essential part of GDPR compliance for small businesses and large enterprises alike. It also enables your business to demonstrate its compliance effort to customers, ensuring them that their data is being processed responsibly.
Companies should keep a "processing registry" which essentially details your business' legal basis, what personal data is being processed, how, why, for how long it's kept and what security measures are in place to prevent a potential breach.
Begin by identifying what personal data is collected across your business. Appoint one member of staff to be responsible for GDPR compliance so you also have a single point of contact should any external GDPR questions arise.
The cookie and privacy policies tells users on your website what data is being collected as they browse through your site. This is crucial if you use cookie data for marketing purposes. Additionally, it should highlight that users have the right to withdraw their consent to data collection, firstly through opting-out directly on your website and secondly by sending you a direct request.
These policies must be clearly outlined on your website and kept up to date whenever you implement additional tracking activities such as new advertising tools.
Additionally, you'll also need to give users the ability to opt-out of this tracking activity through the use of a cookie banner. This allows users to say no to collecting any non-anonymised cookie information, leaving just those which allow your website to run.
Keeping your customer's data is safe is an integral part of remaining GDPR compliant, but just how do you go about it? Let us take you on a whistle-stop tour of what is known as privacy by design.
Privacy by design is a GDPR principle which states that you must incorporate privacy not just into your data processing activities, but also into your business practices. This simply means taking privacy into account in everything that you do, from building your website through to daily tasks such as emailing.
But how do you go about incorporating this? For emails, it could be something as simple as avoiding sharing any personal information in the form of attachments, using instead a secure cloud platform such as Google Drive. It could be implementing two-factor authentication across any accounts containing sensitive information.
|For this step, [you'll need to take stock of what apps, accounts and software currently contains personal or sensitive information and ensuring these are kept secure.
In addition to complete GDPR compliance, Naq also takes care of all your business cybersecurity, baking privacy by design right in to your business.
As if you didn't have enough to do already, the GDPR requires that your business has a good incident response plan in place. Before you do, it's important that you know the difference between an incident and a data breach.
An incident is an event that impacts your information processing systems but hasn't impacted any personal data. This could be a malware attack on one of your office devices.
If any personal data is compromised, this then escalates to a data breach and includes but is not limited to; hackers getting access to your sensitive business data or this data being published online.
In order to be GDPR compliant, your business needs to include the following steps in its incident response:
Additionally, individuals to get access to all of their information through a Subject Access Request. Your business must comply with these requests without the delay and in most cases within one month.
Naq provides SMEs with a complete cyber security, GDPR compliance and staff training solution at an affordable monthly cost. Through our exclusive easy to use platform businesses can review their security actions, improve their organisation's security score and ensure their staff are trained on the most common cyber threats. All delivered for as little as £/€189 a month.
Take a look at our pricing page here. Alternatively, reach out to us on email@example.com and a member of our team will be in touch.