What’s the bare minimum a small business needs to do?
This Sunday marks just two months to go until the GDPR comes into force. If you’re a small business owner or senior leader, and the acronym GDPR means nothing to you, there are a little more than 60 days remaining for you to not only wise-up on the new rules, but ensure that your business meets new requirements that are being rolled out right across the European Union.
Darren Nicholls, product manager for small business advice specialists Informi, provides some tips on what every small business will need to do by 25 May in order to comply.
“GDPR stands for the General Data Protection Regulation, and it is designed to increase data privacy for individuals. This means that businesses who are responsible for holding personal data will need to have processes and technologies in place that can deal with data requests from subjects. Despite the 2016 referendum where the UK voted to leave the European Union, GDPR is coming into law and will likely remain in law post-Brexit.
“GDPR is a replacement to Britain’s existing Data Protection Act, reflecting that the world has moved on since the Act came into force in 1998 and that companies now handle extraordinary amounts of client data, often in circumstances where there could be cyber security breaches.
“If you haven’t yet done anything about GDPR’s implementation, your first step will be to know exactly what personal data the company holds (and where it’s held), along with where it has come from. Clients will have the ‘right to be forgotten’ under the new regulations, and that will mean erasing all data that a company holds on them if requested to do so. You’ll therefore need to ensure that data is stored in easily accessible places, and know who in your organisation has access to any personal information.
“The Information Commissioner’s Office (ICO) will also be keen to find out how exactly you are complying with the new GDPR, so it’s important you can demonstrate processes that you have for obtaining consent, subject access requests, data-protection impact assessments, deleting client data and reporting data breaches within 72 hours. In all cases, these processes will need to reflect the fact that clients now have enhanced rights as individuals.
“Every public authority and companies that carries out large scale individual monitoring (such as online behaviour tracking) will need to have a Data Protection Officer in place, while every other company will need to ensure that a senior staff member holds responsibility for compliance with data protection.”
Don’t get caught out
“It’ll be important to ensure that you don’t get caught out by GDPR. For example, when you are collecting customer’s email addresses, not only will you need their consent to do so, but you will also need to explain to your customers how exactly you plan to use their data. No longer can any company have a ‘pre-ticked’ opt-in box on your website, or use e-mail to promote products or services beyond the reason the customer initially gave their consent.
“The other big priority you will need to do over the next two months is contact all of your clients to ensure they are aware of GDPR and what you are doing to update your procedures. As well as the above, this will also need including updates to your privacy notices to show the data you collect and how you plan to use it. You will need to show how you have considered who has access to data (and why), demonstrate that all data is secure and regularly backed up, and think about encrypting all electronic devices containing the data (though this last one is a suggestion under GDPR, not a requirement).
“Getting your company up to speed on GDPR isn’t a choice – it will very soon be against the law for companies to not offer greater personal privacy around data. Failure to comply could lead to fines of up to 4% of total annual turnover or €20 million, whichever is greater, so not having the right data protection policies in place could prove fatal to businesses.”