As of May 2018, the European General Data Protection Regulation (GDPR) is in place. If you run a small business, failure to comply could see steep fines of up to 4 percent of turnover. Let's take a look at what you need to know.
First, we'll deal with what changes GDPR brings into play. There are two main principles:
1. Handing people more control of their personal data2. Introducing a single, unified regulation for businesses across the EU
GDPR applies to every EU business and (in some circumstances) to companies outside the EU that process EU citizens' personal data.If your business's activities include processing extensive personal information, you must appoint a Data Protection Officer (DPO). They'll ensure you comply with GDPR and be the point of contact for queries.
For individuals, the main thrust of the regulation is that they get more rights on how organisations use their data. This legislation could mean having ‘the right to be forgotten' if they don't want you to process their personal data and you've no legal grounds to hang on to it.
If you don't comply, penalties can be harsh. GDPR has introduced fines of up to €20 million or 4% of annual turnover, whichever is the greater.
You must show that you understand the types of personal data (such as addresses and bank details) and sensitive data (such as religious affiliation) that you hold. You should know where it comes from, where it goes and how you use it.
If you're relying on consent to process personal data, business activities are trickier under GDPR because consent must be clear and explicit. Try to avoid relying on consent.
Update your security measures and policies to ensure they're GDPR-compliant. Not got any? Get some in place. Use encryption software to protect your data.
You should respond to access requests within one month. Under Subject Access Rights, people can access all of their data and have anything that's inaccurate corrected. In some circumstances, they can have everything you hold on them erased.
Make sure your staff are up to speed on GDPR. They'll need to know what's meant by a serious breach. Build in red-flag processes and report serious breaches within 72 hours. Make sure everyone knows to report mistakes to the DPO.
Do due diligence on your supply chain. They should be GDPR-compliant to avoid penalties. You must also check your contract terms – suppliers have obligations to meet, such as notifying you promptly of any data breaches.
Under GDPR, you must tell people clearly what you're doing with their data. A fair-processing notice gives them this information. The notice should describe why you're processing their data, which recipient categories you're sending it to, and how long you'll hold it.
Do you need to appoint a Data Protection Officer (DPO)? Probably not as a small business, unless your core activities include ‘regular or systematic' large-scale monitoring of data subjects.
You mustn't hang on to personal data longer than necessary, or use it for any reason the person's consent. To ensure compliance, identify your data categories – what personal data you have, and why.
Under the new GDPR rules, consent has been redefined. You can no longer bury requests for approval in small print. They must be presented clearly and distinct from other communications. That means the end of the pre-ticked box.For pre-existing personal data, consent might not be needed, provided you have a legal basis that complies with current legislation. If in doubt, it's best to ask for confirmation and keep a record of it. Inactivity is no longer a justifiable way to gain permission.
If you run a small company, you might see GDPR as a pain in the neck. But it's actually an opportunity. Trust is a core tenet of business. So, by showing potential customers you have your legal ducks in a row, you could end up better off.People aren't keen on having their data lost or misused, so protecting your clients from this might be a unique selling point.
Wrong. GDPR applies to all EU businesses. Just ask yourself how regularly your business deals with personal data. That includes customers, suppliers, and employees past and present. And is there anything else you've collected that doesn't fall into any of these groups?
So, how do you get your customers' consent to use their data? Broadly:
Ultimately, consent is all about putting people in control, building trust and engagement and gaining an even better reputation.