In a nutshell, GDPR applies to all personal data and sensitive personal data. But many businesses are making the mistake of thinking that this only applies to their customers – when in actual fact the more ‘sensitive’ personal data is likely to fall within your own business walls. So when we talk about company data under GDPR, what do we mean, and why do you need to protect it?
This is going to be the big one for most businesses, because even a business of one person has their own employee data on file. And this is where a lot of the more sensitive personal data will be found – within your own company records. To clarify, GDPR states that sensitive personal data is classified as “data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.” A lot of which you will hold on your past and present employees. Personal data relating to criminal convictions and offences is technically not included as ‘sensitive’ personal data, but there are specific safeguards in place for this in Article 10 of the regulation.
In other words, GDPR has imposed a whole new set of rules around what counts as personal data (and sensitive personal data), consent to give that data and what businesses can store. But what many businesses are forgetting is that this doesn’t just apply to customers and suppliers – it applies to their employees too. GDPR gives employees much more control over their data, and places more burden on businesses to ensure that employees right (both new and old) are met. The good news is that, from an employee data perspective, the new rules are very similar to our existing Data Protection laws, with only a few amendments required.
Once again, GDPR circles back to the idea of personal and identifiable data. If you are a business who uses any form of supplier (even if it purely online), then you will hold personally identifiable data about them on file. That could be something as innocuous as the name of your contact or the address of the business. It’s still enough to trigger GDPR, which means you need express consent to hold it and a management system in place to handle it in case they request it be deleted.
At Tipac, our solutions answer a lot of these concerns, without resorting to full systems overhauls. By implementing a bespoke content management solution, your business can gain more control over what data you hold on whom, records of consent, what is done with the data, how easy it is to find and delete and much, much more. For more information on how we can help you protect your business data and stay GDPR compliant, just get in touch with us today.