GDPR is the snappy acronym for the new General Data Protection Regulations, designed to harmonise data privacy laws across Europe, and due to come into effect in just four months’ time on 25th May 2018.
You’ll almost certainly have heard about GDPR – it’s been all over the media in recent months, but perhaps you’re thinking it’s something that will only apply to big organisations?
Afraid not. After 25th May, all businesses offering goods or services to EU citizens will have to be GDPR compliant, or risk a hefty fine if they fall foul of the law.
GDPR will benefit all of us. In our digital world, we’re sharing more of our personal information with a diverse range of organisations, and by legislating for how this data is collected and stored, GDPR will help ensure it’s kept secure.
Many big organisations have had teams working on getting GDPR-ready for years. So, with only months until implementation becomes reality, what do you as a small business owner need to do to prepare?
To help answer this question, we asked Mark Feetham from our trusted business partner Less Annoying IT to give us the benefit of his advice.
Getting Ready for GDPR
Ignoring the regulations is not an option. Trust will underpin all the relationships you have with customers, and GDPR will give them complete transparency on how you look after their personal information. Besides leaving yourself exposed to substantial financial penalties, being unable to demonstrate compliance to your customers will lose you their trust – and their business.
In this short blog post, it will be impossible to set out everything you need to know about GDPR in detail. Instead, we’ll focus on some of the most important things you need to do to prepare your business.
- Understand your customers new rights
GDPR will give your customers a comprehensive set of new rights. Two of them are particularly important:
- The right to be informed
When you collect any personal data from a customer, they will have the right to know what information you’re going to hold on to – and you’ll need to make sure this is clearly communicated to them.
- The right of access
Your customers will have the right to demand to see all the data you hold on them, to know how and why you are storing it, what you are doing with it, how long you’ve held it, and how long you’re going to continue to hold it.
- Carry out a personal data review
Getting ready for GDPR requires you to review all the ways your business is collecting and storing personal data from customers.
You will need to focus on three key areas:
1) People
It’s essential you educate everyone in your team on the importance of adhering to GDPR. As custodians of your customers’ personal information, you have a responsibility to do everything within your capabilities to safeguard data, keeping it within the ‘virtual walls’ of your organisation at all times.
This will mean identifying and addressing bad habits that pose security risks – such as sending emails containing ‘personally identifiable information’ or PII, which will be completely unacceptable under GDPR.
2) Processes
You’ll need to undertake a thorough review of all your business processes to make sure they are in line with GDPR requirements.
As an example, a key objective of GDPR is ‘privacy by default’. This means that customers must take positive action to opt in to something – and be able to easily opt out at their convenience. So no more confusing tick box forms or automated opt ins, and privacy settings on websites will need to be set to their highest levels with the user able to change them if they want to. For many organisations, this is likely to require the redesign of hard-copy and digital collateral.
You’ll need to make your processes fully accessible to customers, so that if anyone should want to, they can easily find out how you collect personal data and what you do with it. The easiest way to do this is to set out your processes in a Privacy Policy and publish it on your website.
3) Technology
Wherever your business uses technology, you’ll need to make sure you have the highest possible levels of security in place to protect data.
Basic precautions will include protecting your system with a high-quality malware product like Bitdefender, and not relying on inferior consumer-grade solutions.
It’s important to be aware that if you’re using third parties to store data – perhaps on an accounting, newsletter or CRM system for example, you are still responsible for how the data is handled. You will need to check that each of your suppliers is GDPR compliant, obtaining details to keep on your files.
If you have web functions that auto-store data – like cookie tracking, you could be storing data without even realising it. Even anonymous data is subject to GDPR, so this is another area you need to consider carefully.
Not surprisingly given the scale of GDPR, there are grey areas in the legislation which will need to be tested in court. Add to this the fact that it will take business owners and customers time to fully understand their responsibilities and rights, and it seems likely that it will take time for GDPR to become properly embedded.
But from 25th May, it will be imperative for every business to be able to demonstrate that they have taken all reasonable steps to comply with the regulations. Will you be ready?
Do You Need Help Getting Your Business GDPR-Ready?
If you don’t have the time or resources to get your business ready for GDPR, Less Annoying IT can help you through the process, but you need to act fast.
Call Mark Feetham on 01628 306532 now for an initial chat,
or email him at [email protected]
For more information about GDPR, go to the GDPR portal at http://www.eugdpr.org
For more information about Less Annoying IT go to www.lessannoying.it