With the introduction of GDPR come a few new terms, one of which is a ‘data controller’. This is the individual who is responsible for the use of personal information stored either on computer or in manual files. It is a responsible job with many requirements and is critical to the success of compliance to the new legislation.
What is a Data Controller?
If you keep any information about any living people, then you are in effect a data controller. This includes information on your employees so in the majority of business situations there will be a need for a data controller. As a data controller you must decide what personal information is going to be kept and how it will be used. As part of the many requirements of a data controller you must do the following:
Keep it safe and secure
You must ensure that the information you have is securely stored and kept safe. In many cases the information will be stored on a management system that will have layers of security to ensure it cannot be accessed by unauthorised persons. Files should not be left somewhere that allows others to view them, such as on a desk in an open office or in a filing cabinet where anybody can gain access.
Keep it accurate, complete and up-to-date
The information that you do hold should be accurate in the first place. It should give complete information depending on the situation and it should be up to date. Using HR files as an example, the employees address, work performance reviews and other relevant information should be updated to ensure it is correct at all times.
Retain it for no longer than is necessary for the purpose or purposes
The personal information you have should be retained for as long as it is necessary and then must be destroyed securely when there is no need for it. HR files for current employees will be necessary, while a record of past employees may be needed, much of their personal information is not so these files must be destroyed securely.
If requested to, you must give a copy of their personal data to the individual when requested to. It must be in a format that is easy for them to read and portable should they want to share it with another. A reasonable time frame applies and the provision of this information cannot come with a charge.
There are other requirements associated with a data controller in relation to GDPR. A good start is to see what personal information you already have in order to create a data register. You can then start the process of scanning and securely filing digital copies of all the information you need. You can then securely destroy anything you don’t need to hold. Datascan document services can assist you with this. We can collect paper files from your office and batch scan anything you need and return it to you in digital format. We are covered by our ISO 27001 certification so you can rest assured your information is safe with us.