Although there is still a little over 5 months to go until all European Firms need to be complaint with the GDPR - there is a lot of work to be done. Your first step will be to do a Data Audit. This will help you understand just how large the road to compliance is for your company.
the GDPR is designed to give people 8 new rights
At the least, all businesses store data about their employees
If you store a person's name, and any other data about that person (eg. a Date of Birth; National Insurance number; their wage) you are storing personal data about that person. Even if it is in a notebook (handwritten) you will need to have identified it, and put in place some processes to protect it
A data audit is a list of ALL data that you store as a company. A lot of the data will be out of scope for the GDPR - but only when you know what you have, can you decide if it should be protected or not.
Before you start - or during the process you may decide that you need a Data Protection Officer (DPO) to manage the audit and outcome. This person will have very specific responsibilites and powers.
So now you know how big or small your problem is - what next?
Once you undestand the size of the problem you can start to put in place apropriate policies, procedures and security measures. If you have just one spread-sheet which contains all the personal information you store, and only two people have a business reason to access it - then it would be perfectly appropriate to pasword protect this in excel (which strongly encrypts the data - so don't forget the password!). Once this is done, tell the other person that needs access to it - and ensure they understand the importance that know one else access the data. If you want to go a step further - you could set-up logging to report on that file and see when its openned. But - that would be enough. In reality - we think it likely you will have a lot more data to deal with. And so - appropriate security, monitoring and encryption will be more complicated, as well as the process you need to put in place to properly manage the data...
We have 18 years of experience protecting business from threats.
Whilst the GDPR is not intended to add unneccessary burden to business - it does address genuine public concern about their data. Your company's response
will let your employees, the public and other businesses know that you have taken the regulations seriously and believe in protecting their data.
At a minimum, you should be implementing the policies outlined within the governments Cyber Essentials pages or even better - get Cyber Essentials Plus certified. If you are looking for the gold standard in security policy - then you will need to implement your own ISO 27001 Information Security Management System. We can help you implement these policies and give you the tools to fully achieve hese regimes. There are also a number of alternatives that lie between these two and so there is bound to be an appropriate path for your business. Fulcrum has all the tools you need to get ready for the GDPR