GDPR (General Data Protection Regulation) comes into force on 25 May 2018 for all UK businesses that collect and use personal information in exchange for free services.
Are you ready? Read on to find out more……
The regulations will change the UK data protection law and govern what businesses can do with all personal information they collect.
The new rules will have a wider scope and more significant consequences should the rules around the storage and handling of personal data be contravened.
The GDPR is considered a necessity for the protection of data in a modern internet based society particularly for smaller businesses who may have less stringent controls over data protection in place.
The reputational risk of not following the rules is in itself is a good reason to take this opportunity to review and update your companies policies.
What does the GDPR mean for SMEs?
You will need to gain positive consent to store an individuals personal data. A pre-ticked box does not count. The individual can withdraw this right at any time. If they do you have to permanently erase the data.
You will need to start by reviewing your exiting data to check you have consent to hold it and that you have a valid reason to hold it. If not it should be deleted.
You need to review your practices to ensure that all data is securely kept to prevent data breaches.
As personal data is a key tool to target and retain customers it must be handled with the great care. You should start planning for the GDPR now.
- The governance measures expected for smaller businesses are expected to be comprehensive but proportionate measures. You should evidence your review and ask yourself these questions
- What data is held, how is it used, do I have consent, is it safely stored and what is the purpose of having it. Don’t forget to include back-ups of older data that may be held in your review.
- Make it clear why the data is held – consider categorizing it, eg: employees, suppliers, blog subscribers etc
- Review your business contracts and website terms to ensure that agreement is explicit (requires positive action) and that this can be evidenced;
- Evidence the reasons for holding and processing the stored data. For example it may be a legal requirement (for HMRC) etc;
- Put a policy in place on how to remove data on individuals if they choose to withdraw consent;
- Review your processes for storing data (on laptops, mobiles etc) and ensure that they are secure (eg: encrypted, passwords, security levels, storage of the physical PC’s, mobiles etc);
- Document what your policy is in the event of a data breach. How it is reported and investigated and ensure your employees know about this.
- Allocate a person to lead the GDPR in your organisation and make sure everyone knows who that person is and how GDPR is relevant to their role.