The General Data Protection Regulation (or GDPR as its most commonly known) is due to come into effect on the 25th May 2018.
If the mere mention of GDPR is sending shivers down your spine, you are not alone. Statistics revealed by the Federation of Small Businesses show that 90% of small businesses are not ready for the new regulations. Worryingly, around 20% of small business are still not even sure what it is or how to be prepared for it. This article sets out to give SME owners a bit more of an understanding of GDPR and what they need to do to get ready for it in time for the new law coming into force.
What is GDPR and why does it exist?
Technology is continuing to evolve and as such, there is an increasing need for measures to be taken to increase the personal protection of the data of users. GDPR is basically an update to the Data Protection Directive and it affects companies in the EU, as well as any businesses conducting business within the EU.
Think about all the unwelcome emails and telephone calls you get.
You probably don’t have any idea where and why the companies have your details and this is what GDPR is looking to address. Businesses will need permission to hold personal data, they will need to have a clear reason for having the data and there is also a requirement to seek permission to retain it for a set period.
As a small business, these are the steps you need to take with regards to the data you are holding, to comply with GDPR.
Understand what data you have and why?
You will need to put systems in place to gain a thorough understanding of what data you have and why. This includes employee data, customers and suppliers.
The positive side of these new regulations, is that it is a good chance to have a data cleanse and can even be an opportunity to re-engage with old clients.
A good way of tackling this is to look at the systems, folders, files etc and get rid of any data you no longer need. If you wish to hold onto personal data for any reason, you will need to get explicit permission.
Marketing and other data usage
Let’s look at this example….
Customer orders from you, you retain their data and every month or so, you send out a marketing email to let them know about new products/services…. seems OK, no harm in it?
Not with GDPR.
The customer provided their information for one reason, to place an order. If they did not explicitly consent to their data being used in any other way, you must either stop marketing to them or put something in place to allow them to consent to it.
Whether marketing or anything else you are doing with personal data. You must get explicit permission to do this.
What security measures do you have in place to protect personal data? If nothing, you must get something in place and this can be difficult for small businesses who don’t have an IT department. These are the main measures you can take to secure your systems.
- Anti-virus software – GDPR is in place not only to protect internal misuse of data, but also external attacks, so it is imperative that you have up-to-date anti-virus software on all your devices.
- Strong passwords – it is important to ensure that staff have strong passwords in place to access their devices. Passwords should not be shared.
- Systems for ordering – if customers are ordering from you, for example, it is a good idea to ask them to fill out forms with their details, rather than taking data via other methods, such as social media, emails etc. In this way, you can properly monitor it and archive it when you are finished. It also keeps the data more secure if you have anti-virus and other security processes in place.
This is a very simple way of showing the customer order process. In the case of storing data, you must be clear with the customer about how and why you are retaining their data. Whether for follow ups, marketing or any other reason. You must also indicate how long you will retain this data.
Customer places order via website
Order is processed and personal data is archived OR
Order is processed and data is retained.
Check data is accurate and up-to-date
As part of GDPR, all personal data held must be accurate and up-to-date. It is very important that you check data held and incorporate a process whereby you not only gain permission for holding data, but you also check that any information you have is accurate and make any relevant amendments.
Subject Access Rights
There will be a one month timeframe for Subjects Right Access. This means that if you have a request to edit or delete any personal data held, it must be completed within one month of the request.
Communicate with employees
Small businesses have a much simpler job than large organisations when it comes to communication and ensuring a strict process is followed. You should endeavour to inform all your employees about GDPR and make sure they know what is expected of them.
If you would like GDPR content for your own website, get in touch by emailing firstname.lastname@example.org or call 07590033183.