Newsletter & Blog

GDPR Governor

GDPR (the Data Protection Act 2018 is basically GDPR with some small changes) requirements apply to all businesses large and small, although some exceptions exist for SMEs. Companies with fewer than 250 employees are not required to keep records of their processing activities unless it's a regular activity, concerns sensitive information or the data could threaten an individuals' rights. 


So how does that work for the majority of SMEs?  How many process sensitive information that could threaten individuals rights?  What is sensitive information?

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person’s sex life or sexual orientation.

So how much of this type of data is likely to be held by the average SME?  Not that much, even in their HR records unless, for example, the company uses some chemicals in their manufacturing process which requires holding health information in regard to allergies etc.  There are other examples.


GDPR compliance requires that companies who process or handle personal data and have more than 10-15 employees must appoint a Data Protection Officer (DPO). A DPO will help with the maintenance and regular monitoring of data subjects as well as the processing of special categories of data on a large scale.  Personal data is any information which is related to an identified or identifiable natural person. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.


Just about everyone processes personal data of some sort.  Data that can identify a living individual.  HR data will have bank account information, home addresses, NOK, phone numbers, maybe references from previous employers.  The exposure of some or all of that could be judged as a regular activity and prejudicial to an individuals rights.  Some companies may have bigger problems, for example Solicitors, Estate Agents, Financial Advisors and Recruiters (the list is not exhaustive), which hold an abundance of personal data about their clients, much of which, under other legislation they are required to retain for up to 7 years.


What this means is that a fairly significant number of policies and processes will need to be written and taken into use by the organisation.  It is not unusual for many to visit the web and download templates to cover their requirements.  However, whilst these templates in themselves maybe adequate when used by someone who knows what the requirement is, they may be less than effective in the hands of someone who is just looking for a quick tick in the box.


And let’s not forget that the Act requires personal data to be secured by ‘default and design’.  This means that cyber security requirements must be designed into your protections.  This in itself could mean at least another 6 or 7 policies and procedures.


That’s a lot of paper to produce.  How much easier to do this using a cloud based tool that not only provides templates, but also provides processes for handling data breaches, data protection impact assessments (DPIA), data subject access requests (DSARs), and the ability to assign ownership of these policies, ensure that are updated and read by staff, making your road to compliance much easier.  This is achieved using the GDPR Governor system, provided on a monthly charge with no contract ie you can terminate it at any time.  The charge is incredibly affordable for all SMEs.


When combined with our DPO service, again provided on a monthly fee, with no contract, this is an extremely attractive option for many.


Check this out under the Partners tab above.