GDPR rules are in full swing, with its largest fine ever – of $887 million – handed out to Amazon last summer. The US giant was financially penalised for not having the proper consent from users to use their personal data. Since May 2018, EU businesses – small and large – have been obliged to tighten up security processes when it comes to exchanging and recording sensitive or important documents relating to clients. And, even though the UK has now left the EU, the key principles, rights and obligations remain the same. The UK GDPR is an updated version of the Data Protection Act 2018. Meanwhile, businesses that do business in the EU, have customers there, or monitor individual residents in the EU, will have to comply with EU GDPR rules. Companies employing 250 people or more must also keep records outlining why a client's document is being processed, what data is shared as a result, and how the document and GDPR financial data within this is retained. The data must also be available for inspection by the Information Commissioner's Office (ICO) upon request.
GDPR accounting for smaller companies
Smaller companies, i.e., those with less than 250 employees, aren't exposed to such stringent rules, but they do have GDPR obligations. For instance, you only need to document processing activities for a regular client or occurrence (i.e., it's not necessary for a 'one off' situation). Also, GDPR protocols are only needed if there is a potential risk to the rights and freedoms of any individuals involved. And thirdly, it's only if the processing involves data relating to any criminal convictions or offences (or any other 'special' category). Keeping strict GDPR records may not be as legally necessary for small companies as for larger organisations, but doing so is still good practice. It also makes compliance with GDPR rules and processes must easier. After all, companies, large or small, do need to have clear and transparent data privacy policies.
GDPR rules for larger organisations
Larger companies and organisations are obliged to explain why they are processing a document in a particular fashion and to outline their legitimate rights for doing so. Names of those controlling and receiving the information, and their roles, must be noted. The type of data, i.e., whether GDPR financial data, personal data etc., should be recorded, along with whether or not it was sent to another country and how this was done. Records must also be kept on the duration of which the information is retained and when it will be erased. And finally, larger companies are also obliged to outline their security measures.
Software to help with GDPR compliance
It may be that your company is small enough that you can implement the GDPR rules using a spreadsheet. However, it's important to be aware of data security when you need to share this information. Other companies may need additional help in the form of specially designed software.
Whichever software system you opt for, it's a good idea to use a system with similar encryption methods to those of online banking. Your system should also provide the flexibility to sign off documents and give approval electronically, i.e., with e-signatures. Finally, you should be able to obtain information quickly since part of the GDPR ruling is that clients are entitled to request a record of the data you hold on them. Under the Information Commissioner's guidance, this is to be provided within one month. A software package that allows you to upload documents for a client is extremely useful for this purpose.