Helping businesses prepare for GDPR — the tour continues

In the office we joke about printing t-shirts to list the number of “tour dates” we’ve had where we’ve been talking to businesses of all sizes across Scotland about the new data protection regime.

As you will be all too aware, the new legislation comes into force on 25 May, just a couple of short weeks away.

And so far, I have spoken at more than 20 such events throughout Moray, the Highlands and beyond, with two more on the horizon, the first this Thursday in Grantown-on-Spey.

I’m glad to say the mood is pretty positive, no doubt helped by greater stability being seen in the north east oil sector, and the continuing tourist boom in the north.

However, some have been initially less upbeat about the forthcoming regime.

That concern is understandable, but it’s also fair to say there has been considerable scaremongering about GDPR.

With that in mind, let’s take a look some key aspects of the regime, as well as practical advice about what businesses should be doing now to change their approach to data protection.

Embracing the GDPR?

As individuals, we‘re rightly protective of our personal information.

It concerns and irks us that this data could be misused by organisations ranging from high tech companies to cold callers with the uncanny ability to get in touch just as we sit down to dinner.

That said, GDPR is an opportunity to get on top of the vast amounts of personal data all of our businesses hold, both on and offline.

No business will be a personal data free zone, and of course, doing this well will mean additional work.

Perhaps the biggest change is to meet the requirement for “demonstrable compliance.”

This means it’s no longer enough to simply comply with the principles of data protection: we now need to show how we do this.

So we need to have a clear paper trail in place, and the practices to back this up.

To do list

With all this in mind here are some steps I recommend you consider for your business —

Carry out an audit of all the personal information you hold

Question why you hold the data and for how long — if you cannot answer these questions you will not be GDPR compliant

  • Review your security, including IT

  • Appoint a data protection team or officer — although everyone in your business should be alerted to their responsibility for data protection compliance, it’s also important that someone takes ultimate responsibility for the handling of personal data

  • Get your paperwork in place including an updated data protection policy and the all-important “privacy notices” that you will be required to provide to individuals whose data you hold

  • Review contracts with all “data processors” who are processing information on your behalf (such as external pay roll providers, for example)

  • Alert and train staff

We should also pay particular attention to the new requirement to report loss of personal data to the information commissioner.

If you are in the unfortunate position of having to do this — and no business is risk free — then this may be mitigated by being able to demonstrate all the work your organisation has done to be otherwise compliant.

Plus, as we count down to 25 May, we’ve added more tour dates.

Event details and registration

Grantown-on-Spey with Cairngorms Business Partnership — 10 May, 10.30am – 12.30pm. The Pagoda, Seafield Avenue. Free for members, £12 for non-members. Book your place online.

Fort William with Lochaber Chamber of Commerce — 24 May, 12.45pm - 2.30pm. The Lime Tree Hotel. Free. Book your place online.

I’ll also be giving an employment law update to Lochaber Chamber members in Fort William from 09:30am – 11:30am on the 24 May, with topics including harassment in the workplace, privacy and the impact of the abolition of tribunal fees. Book your place online.

An earlier version of this article appeared in the Press and Journal’s Leader publication on 5 May.