Following on from the first article, here are another four points for you to bear in mind:
• what data should you collect?
• know long should you be keeping it?
• be sure to keep it safe at all times, and
• know what you have and where it is.
What data should you be collecting?
Don’t collect anything you don’t really need. You should be able to justify whatever you are collecting. If you do this, then you won’t go far wrong because should you be asked, “Why are you collecting this data”, you will be able to answer and prove it. You will also be able to reflect the reasons in your privacy notice, which is a subject for another day.
How long can you keep the data?
Again, how long do you absolutely need to keep the data? Don’t forget, if you’ve only got what you absolutely need, your risk is much smaller than it potentially could be, and you will be avoiding problems that could arise. Data breaches could potentially destroy the business you’ve worked so hard to build!
Keep the data safe at all times.
Doing that will include things like having good passwords that you don’t share or repeat, encryption and multi-factor or 2-factor authentication. If you do any online banking, you know exactly what that is as you have to authenticate with a second method or device. Most software makes this possible and platforms such as Google, Facebook, LinkedIn, etc. all offer multi or 2-factor authentication. Wherever it’s offered, I strongly recommend you take them up on it. Encryption of your devices, as well as data during storage and transfer, is another important step to take. These precautions all relate to cybersecurity, but security is a requirement of GDPR. Wait for a later article on some common-sense ways that you can deal with your cybersecurity risks at home or in your office without huge cost or stress.
Know what data you’ve got, and where it is.
Make sure you how it’s stored, and if it’s secured and how it’s secured… you get the message. The key here is to understand that if you don’t know what you’ve got and how/where it’s processed, you can’t fulfill your GDPR responsibilities. A strong recommendation is to keep (and update) a written record, even if you aren’t an organization that has to do so according to the regulations.
Look out for the third and final instalment of GDPR common sense.
Here’s the link to the first instalment, if you missed it: Part 1