If you’re a business owner and you’ve not heard about GDPR, you seriously need to put that right – check out this quick guide to GDPR for small businesses for everything you need to know…
What is GDPR?
GDPR stands for General Data Protection Regulation, and it is new a data protection legislation that will come into force across the EU on May 25, 2018. Even if the UK leaves the EU, the legislation will be converted into UK law and will still be applicable in the UK.
The new rules are designed to change how businesses and public sector organisations can use and handle customer information, and give individuals greater control over how organisations contact them and use their data.
Does GDPR apply to your business?
If your business regularly processes customer data or personal information, then GDPR rules will apply to all controllers and processors of data within your company. GDPR will automatically be applied to any company with more than 250 employees, as well as those that employ fewer but process personal data on a regular basis.
You can find out more at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
In order to make sure your business is fully up to speed with GDPR, and is following the guidelines from the outset, it’s recommended you appoint a Data Protection Officer (DPO), who can fulfill the following roles:
- Inform and advise the organisation and employees about their obligations under GDPR
- Monitor data compliance
- Manage internal data protection activities
- Train staff
- Conduct internal audits
- Be the point of contact for supervisory authorities and individuals whose data is being processed
How will GDPR affect your business?
There are a number of ways your business can easily fall foul of the GDPR rules if it doesn’t adapt how it deals with customer data, such as:
Reporting data breaches
As things stand, businesses are under no time pressure to release details of data breaches, even to any individuals who might have been affected – so we’ve seen cases where stories of malicious attacks and data leaks haven’t been released until years after they happened, and even then, sometimes by accident.
As off May 25, you’ll have 72 hours in which to report any data breaches to the relevant authorities as well as anyone put at risk by the breach. And if you have employees who work remotely, or use their own devices, you will need to put more stringent security measures in place.
The right to be forgotten
Any individuals who have data stored or processed by your business will have the right to see and amend the personal data held on them, and have it corrected where necessary. The can also have completely removed completely if:
- The data was unlawfully gathered.
- There’s no legitimate reason for that company to continue processing data.
- The data is no longer being used for the reason it was originally gathered.
Easy to understand contracts
Some businesses hide behind long-winded wording in contracts, and speak in legalese so they can slip in ways they can use your data that you might not ordinarily agree to. This will no longer be allowed, and your business will have to provide clearly-worded explanations and need your explicit consent to use your data.
How to get ready for GDPR
If you’ve not already got plans in place to get your business ready for the new legislation, you need to act fast. Here’s what we recommend:
- Make sure you and any relevant stakeholders are completely up to speed with the new rules.
- Carry out an audit of your current data-handling systems.
- Implement a data to log containing all the information that need protection.
- Examine where and how you currently collect and process data.
- Work out the main risks to your data and work out ways to make systems more secure.
- Work out the best way to gain consent from your customers and clients.
- Continue to evaluate and update your systems.
- Create a contingency to deal with data breaches.
How is your business dealing with GDPR? Share your ideas with our business community.