- Consider processing personal data in a way so that you can’t tell from looking at it which person it relates to. You would need additional information (a key or code) kept separately (and securely) to decode it. (Known as ‘pseudonymisation’.)
- Think about whether some data can be anonymised. Do you really need to be able to identify the employee to use the data? For example, if you are processing information for research or statistics then you could probably anonymise it. We see this a lot in the public sector when data is collated for the purposes of equal opportunities.
- Use passwords and encourage employees to use more complex passwords, not to share them, and to change them regularly.
- Encrypt data where possible, particularly if you are transferring data or allowing remote working.
- Think about the devices that employees use and their security access. Will you still allow employees to use their own smartphones etc., or will you provide company phones and laptops now instead.
- Only process personal data necessary for specific purposes.
- Put in place measures to ensure you are compliant with the principles.
- Keep records to prove you are compliant.
By the 25 May 2018 you must ensure that your business has fully implemented GDPR compliant measures. If you would like any assistance or advice to prepare your business for GDPR, please contact a member of the team.