A series of unfortunate GDPR events Part 4 - Record Management
Ok, so you now have your marketing all sorted, and you have cleaned up that ancient mailing list, now its time to look at what are you going to do with the records you have.
If you are like me you have a digital and physical copy of all your client records, while not necessarily a bad practice, it does mean that there is a little more work involved in keeping those records safe.
First of all, you will need to set the standard, identify what is the basic information that you are going to hold in each of the records, this may simply be a name, address and phone number, but either way, each record needs to have a clearly identified minimum standard, you must be able to justify that the data you hold has a legitimate purpose, and any data which falls short must be removed regularly.
Remember to be aware of the sensitive information in the minimum requirements, try to avoid it where not necessary, and it is very important to be aware of the extra regulations if you require data about a person whose age falls below 16 years old. This all forms part of the record creation policy that the ICO recommends.
You will also need to clearly identify the lifespan of the data if it is not necessary to keep the data any longer then arrange for its secure destruction.
You will need to identify the risks that go along with your record-keeping style, bear in mind that papers thrown on a desk may be a style but is now very high risk and needs to stop, Leaving your files etc in the car overnight is not really advisable either. You should have knowledge of where every record is at any moment and work to minimise any risk to those records getting out of your control.
Sometimes it is necessary for you to pass on a record to a third party for your business, in this case, you will need a written agreement between you and the third party to ensure the data is kept safe to your standards or better at all times.
Include clauses for notification in the instance of a security breach, as you will be responsible for reporting to the ICO about the breach of your data through a third party, having the agreements in place early will show that you have required the third party to adhere to your standards and they have failed, possibly leaving you fine free.
In some businesses, it is often necessary to take records out of the office and use them off-site, in this instance, the ICO recommends tracking the whereabouts of each record with a record movement log, keeping a log of records as they are removed and then returned can help prove that you are aware of the location of your records at all times.
The ICO also recommends creating a record inventory, both physical and digital records need to be listed in the inventory, this way you will know as soon as a record is misplaced (hopefully never). You will need to make sure that the transmission of digital records is kept secure, basics like password protected files can be a good start, but never send the password in the same email.
The use of unprotected USB sticks is a huge NO, if you are going to use a USB stick it will need to be encrypted and kept safe at all times.
Encrypted secure cloud storage may be an alternative where sensible to use.