GDPR is coming and the sooner you start making changes to your data the better, which is why we put together this simple guide to getting started.
GDPR is going to change everything. But what does that actually mean for SME’s?
To put it simply, the General Data Protection Regulation (GDPR) is a huge piece of legislation from the EU, designed to protect the rights of European citizens. In practical terms this means businesses and marketers need to make big changes to the way we collect, use and store data.
It’s essential to protect data from the rising threat of cyber crime and gain consent to collect the customer data in the first place. A failure to do so could result in punitive fines, such as €10 million (£7.9 million) or 2% of your global turnover– whichever is greater, or for more severe breaches, €20 million or 4% of your turnover – whichever is greater.
This guide will run through the first steps you should take in order to begin meeting the requirements of GDPR when it comes into force in May 2018.
It’s time to educate your business
The first step to becoming compliant is to read up on GDPR. Check out other pieces of content on YRB for an overview. Once you have a base understanding it’ll be a lot easier for you to understand the task of getting compliant within the context of your own business. Remember, whether you’re an office of five or 500, you’ll be held to the same standard. Organisations like the ICO, the FSB and the DMA also have a lot of literature and are happy to offer advice to any business.
Ensure that the key decision makers in your business are fully educated and behind transforming your business for GDPR or it’s going to be difficult to make real, tangible changes.
The audit of all audits
The next step is to begin auditing your business. This isn’t a quick dip into one process either, this is a down and dirty, blow the cobwebs away audit. You’ll need to review every aspect of data collection in your business and lay it all out.
What information do you hold? You need to document every piece of it, where it came from and who you share it with. This is required for all personal data in the business – including details about your staff.
You also need to spend time reviewing your current privacy notices and decide how you’re going to make any required changes. You will have to provide your identity and how you’ll use the information, along with your justification for needing it, how long you’ll hold it and how people can complain if they think there’s a problem.
This is a checklist to get you started:
• Data collection techniques
– Cookies on website
– Competition entries
– Email responses
• Legal contracts
• Data storage management
• Actual data stored
– All customer data
– Email lists
– Invoicing/delivery details
Know your rights
The rights of the individual are a huge part of GDPR. In an attempt to equalise the balance of power between the customer and the entity collecting data, the new rights enshrined in GDPR include the following:
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling
This means the way you collect and store data must be in line with the expectations and wishes of the people you collect it from. This could mean showing that you’ve initially collected data, what exactly you’ve collected and ultimately to deleting it at their request. Ensure that every point of data collection you’ve identified in your audit is compliant with the above list.
In addition to this, what’s your provision for dealing with any requests for information or deletion that come through? Consider hiring someone to handle these requests or create a separate inbox to capture and prioritise them.
Be your own security guard
How secure is your data? Are your systems fully protected? What about your staff, are they fully trained up on best practice device management?
If you’re not actively preparing for a cyber attack then you’re playing into the hands of the cyber criminals. You need to put in place the right technology, training and understanding to detect, report and investigate breaches of personal data. In addition to getting fined for any breaches you experience, you will also be fined if you don’t report it to the ICO.
Ultimately you need to make your employees aware that there’s potentially a huge financial side effect to their actions. Now, they should be thinking twice before connecting to unsecured WIFI when out and about. Every email should be scrutinised – if it looks like a scam then it probably is one. If you have a Bring Your Own Device policy then train people in protecting those devices – if they hold business data instead of just personal then every unsecured smartphone could be a ticking time bomb.
A more secure, connected future for everyone
It’s been said before but GDPR isn’t just a disruptive force for the sake of being disruptive. This legislation has been designed to protect all of our data and improve the rights of individuals everywhere. As businesses and as customers, we’re all going to benefit from being more prepared, more secure and ready for anything.
If you want some help with picking the right security solutions for your business then try contacting your mobile provider and organisations like the DMA and other trade bodies.