GDPR is probably overdue
GDPR is an update to the Data Protection Act (DPA), which first came into force in the 1990s. The DPA dates from a time when only the largest companies could afford to collect customer data. Since then, data collection has become commonplace and thousands of small businesses use it to aid their sales and marketing efforts. GDPR was developed to reflect these changing circumstances.
Customer consent
Perhaps most importantly for SMEs, under the new regulations companies will not only have to get the clear and unambiguous consent of their customers to store and use their personal data, they will also have to keep a secure record of how and when that consent was granted, what it was granted for and for how long. As an SME you will be expected to be able to produce a clear audit trail of consent.
And importantly, that consent will have to be positively given. Assuming consent from a pre-ticked box, or inaction on the part of the customer, will no longer be acceptable. This has to be an opt-in, rather than opt-out, process. In other words, if you use tick boxes, they have to be left unticked. Don’t forget email marketing tools like Mailchimp. The mailing lists stored in them are still covered by the consent regulations.
Delete and forget
Importantly, your customers will have the right to withdraw their consent at any time, and withdrawing consent must be as easy to do as giving it. Individuals also have the “right to be forgotten”. That means you will need to know exactly what data you hold on a customer and where it is stored (server, PC, cloud, filing cabinet), so that you can delete it permanently if a request is made.
Data breaches
If you suffer a data breach, you have to act quickly. GDPR states that relevant authorities must be informed within 72 hours of a breach happening, with details of the number and types of data record affected. This means you need the monitoring tools in place to recognise and act on a breach almost as soon as it happens.
Getting ready
While these requirements are the most obvious ones affecting SMEs, there are many more. Depending on your business and sector, and what you actually do with personal data, implementing GDPR may require an information audit in the first instance, so you understand exactly what information is stored, where, and for what purpose. It may also require a change in company culture, with staff assigned to proactively monitor consent trails and data storage protocols, ensuring that best practice – in accordance with the stipulations of GDPR – is always followed. Not doing so could result in hefty fines.
This is just a summary of some of the main points of GDPR. For more information, the Information Commissioner’s Office is a great place to start.