Staying afloat with GDPR

5 tips

Published on January 19, 2022 by Taceo Limited

By now most companies have updated their privacy and data protection obligations to take into account UK and/ or EU GDPR requirements. You have probably taken one or more of the following actions:

✔ conducted privacy assessments and data mapping,
✔ documented records of processing,
✔ introduced or boosted data protection/ privacy training and
✔ performed GDPR related audits periodically.

Having worked with clients on data protection and privacy matters over the years, here are 5 areas that need to be continually assessed and that internal business teams should take note of:

  1. Customer contracts – Ensure your customer contracts are updated to reflect appropriate data protection clauses and applicable standard contractual clauses to legitimise personal data processing and data transfers outside the UK and/ or EU borders. Where you are sharing data, put in place a data sharing agreement and detail the responsibilities of each party.
  2. Suppliers – implement data protection screening questionnaires for your suppliers. At a minimum this will allow you to determine whether your suppliers are meeting with UK/ EU GDPR requirements and whether there are any inherent risks your company may end up being responsible for. A simple questionnaire focused on data protection will help you assess and eliminate risks.
  3. Marketing – Review the use of personal data within your marketing platforms and databases. Know who you share your customer data with and where you obtain marketing data from. If you are buying in marketing lists, conduct due diligence on the validity of the personal data to ensure you do not take on unexpected risks. You may want to include warranties and indemnities in your contracts to allow for risks you end up assuming.
  4. Information security - document and implement appropriate security measures that set out your company’s security measures and practices. Your security measures should factor in the obligation to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to customer/ supplier/ employee personal data.
  5. Privacy governance – Implement a privacy governance framework for your business. Put someone in charge of the governance framework who will also address data subject requests, data breach notification and responses, documenting the business’ practices in processing personal data etc. No matter how small your privacy team may be, use them effectively to help protect your company from potential breaches and fines.

Data protection is not just about complying with legislation. It is about retaining trust in your brand, your reputation, your customers and suppliers and your profitability. If you would like to find out more about any of the above points, you can contact us at [email protected].