8 February 2018
The new General Data Protection Regulations (GDPR) are due to come into effect in May 2018. That’s just around the corner and yet many businesses aren’t ready or they are not aware that they’re even affected. If you run a business then preparing for GDPR’s requirements is not optional. The potential fines are huge.
Small businesses that capture, store and handle personal data may have to make changes to their data handling policies to ensure compliance, and punishments for offenders will be tough. Personal data is information that could identify or help to identify a living person, such as a name, location information or “online identifier” (like an IP or email address, or even social media posts).
The requirements are complex and how you approach them will depend on your industry sector. As a starter for you for own preparations, here are five things you should know.
GDPR is an update to the Data Protection Act (DPA), which first came into force in the 1990s. The DPA dates from a time when only the largest companies could afford to collect customer data. Since then, data collection has become commonplace and thousands of small businesses use it to aid their sales and marketing efforts. GDPR was developed to reflect these changing circumstances.
Perhaps most importantly for SMEs, under the new regulations companies will not only have to get the clear and unambiguous consent of their customers to store and use their personal data, they will also have to keep a secure record of how and when that consent was granted, what it was granted for and for how long. As an SME you will be expected to be able to produce a clear audit trail of consent.
And importantly, that consent will have to be positively given. Assuming consent from a pre-ticked box, or inaction on the part of the customer, will no longer be acceptable. This has to be an opt-in, rather than opt-out, process. In other words, if you use tick boxes, they have to be left unticked. Don’t forget email marketing tools like Mailchimp. The mailing lists stored in them are still covered by the consent regulations.
Importantly, your customers will have the right to withdraw their consent at any time, and withdrawing consent must be as easy to do as giving it. Individuals also have the “right to be forgotten”. That means you will need to know exactly what data you hold on a customer and where it is stored (server, PC, cloud, filing cabinet), so that you can delete it permanently if a request is made.
If you suffer a data breach, you have to act quickly. GDPR states that relevant authorities must be informed within 72 hours of a breach happening, with details of the number and types of data record affected. This means you need the monitoring tools in place to recognise and act on a breach almost as soon as it happens.
While these requirements are the most obvious ones affecting SMEs, there are many more. Depending on your business and sector, and what you actually do with personal data, implementing GDPR may require an information audit in the first instance, so you understand exactly what information is stored, where, and for what purpose. It may also require a change in company culture, with staff assigned to proactively monitor consent trails and data storage protocols, ensuring that best practice – in accordance with the stipulations of GDPR – is always followed. Not doing so could result in hefty fines.
This is just a summary of some of the main points of GDPR. For more information, the Information Commissioner’s Office is a great place to start.