I remember working on a TUPE transfer (when staff are transferred to another organisation, as it will carry out the same work) and waiting desperately for the staff data, so that I knew what I was getting and could be prepared! The company that had lost the work, waited until that very last minute to share the staff data and I remember pulling an all-nighter, so that we could work out our costs and ensure that he transferred staff would receive the correct salary! We did make it, but JUST! And it took quite a while to get to grips with all of the terms and conditions, once we received those!
I’m a excel geek! I truly believe that having the right data and knowing how to analyse it, is the key to the success of your business. It enables you to understand the needs and patterns of your clients and to recruit, develop and retain the best staff for your business.
So, now that you have established what personal data you hold on your staff and clients, and then narrowed it down to what you actually need. You need to understand your responsibilities…
So back to my question – Are you a data controller or a data processor?
Being a Data Controller - means you are an organisation who requests and stores personal information about your staff, clients and/or service users. A Data Controller would also give instructions to a Data Processor, regarding how the data is to be used, e.g. Payroll Processor, Accountant, Manufacturer.
Being a Data Processor – means you act on the instructions of Data Controller. As a processor, you have to show that you have the right systems and processes to secure that data.
Should a data breech occur, both the Data Processor and Data Controller, would be liable. The Data Processor for any omissions that lead to the breech, the Controller for not ensuring the right processes are in place. The Contract between Data Processor and Data Controller, must stipulate that the Processor will adhere to the GDPR.
The regulation applies to citizens living within the EU, so even if you use Data Processors outside of the EU, they must also adhere to the regulations and would still be liable to be fined.
Most organisations will find that they are both controllers and processors, I can’t think of an organisation that doesn’t store, process and analyse data, for their use and/or the use of others.
What is a Data Breech?
A data breach is any situation where an outside entity gains access to user data without the permission of the individual.
If a data breach should occur, the GDPR specifies that the affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”
This means you need to have a plan of action should a data breech occur as part of your risk register!
Are you ready for GDPR ?