As the festive season draws closer the inevitable ‘sleeps till Christmas’ countdown has begun. However another countdown should be at the front of small-business owners’ minds: the rapidly approaching deadline to when the General Data Protection Regulation (GDPR) is enforced on May 25 2018.
GDPR is the new data protection regulation granting individuals more control over their own personal data and how it is used. In turn this directly impacts on the way businesses must legally handle an individual’s data. Research from the Federation of Small Businesses (FSB), the organisation championing UK SMEs, has revealed that almost 60% of its members ranked data protection laws as a significant regulation they have to deal with. Earlier in 2017, a YouGov survey across British businesses found that only 29% of UK businesses had begun to prepare for the new rules and a worrying 38% even confessed to being unaware of what the new legislation meant.
Many people class GDPR as an IT issue and believe that the regulations only apply to computer networks, passwords and the storage of client details electronically. But the scope of the new regulations covers much more than that. In fact, the new rules may affect other processes such as project management and networking. For many businesses, a focus on record keeping will become vital as they must prove how they obtained data, how they use it and how they removed it if they have been asked to by an individual. It will also be a requirement to obtain and keep a record of people’s consent to hold the data in the first place.
Additionally, it’s important to recognise that GDPR gives individuals new rights to help them control how their data is being used. For instance individuals will now be entitled to the right to be forgotten, the right to access their data to ensure it is accurate as well as the right to query a company as to why and how they hold their personal data, the onus of which falls on the business itself to answer. It’s important for small businesses to begin thinking about exactly what data they need to collect and keep as well as how they will amend their current procedures to comply with the new regulation.
Businesses are advised to now review the data they currently hold, analyse why they are holding it and review the procedures they currently have in place for handling data. It is important that a holistic view is taken by businesses when reviewing their data collection and storage. They need to consider everything from the documents they use to collect it amd the way they inform their customers of what their data will be used for to how it will be securely stored.
In addition to considering data handling within the organisation businesses must ensure that information they provide to an individual regarding their access to data is accurate, clear and concise. They should also ensure procedures are in place to verify the identities of those individuals who may request access to their records, or request changes to be made to their data.
Preparing a business for GDPR is no overnight task and it requires planning for implementation which business owners are advised to start now. Fortunately, there are a few things that can help companies do this better.
The first is to carry out an internal audit of the data you have, how it is stored and what it is used for. Make sure to securely delete any unnecessary data.
The second thing to do is to familiarise yourself with the new regulations, including the new rights individuals have and ensure that your procedures and policies comply to these rights.
Thirdly, ensure all employees are informed and trained in how GDPR will affect the running of the business.
Another thing to keep in mind is to make sure consent for data is freely given, specific, informed and unambiguous. People must make a positive opt-in and be provided with a simple way to withdraw their consent if they wish. It is no longer acceptable to rely on assumptions, pre-ticked boxes or consent by silence. Be aware that not only must you get consent to send commercial emails, but you must also keep records of this consent.
Finally, if your buy data or buy a client data base from a third party you must make sure that you obtain documentation from them to show compliance with the GDPR.
This article comes courtesy of FSB.