A small business guide to GDPR
GDPR has been helping to protect our data since 2018. And even though it's an EU directive, it's been kept on in the UK post-Brexit. Our quick guide to GDPR for small businesses should tell you everything you need to know.
What is GDPR?
GDPR stands for General Data Protection Regulation. It is data protection legislation that came into force across the EU on May 25, 2018. Even though the UK is no longer part of the EU, the legislation has been converted into UK law and will still be applicable in the UK.
GDPR has been designed to change how businesses and public sector organisations can use and handle customer information, and give individuals greater control over how organisations contact them and use their data.
Does GDPR apply to your business?
If your business regularly processes customer data or personal information, then GDPR rules apply to all controllers and processors of data within your company. GDPR is automatically be applied to any company with more than 250 employees, as well as those that employ fewer but process personal data on a regular basis.
In order to make sure your business is fully up to speed with GDPR, and is following the guidelines, it's recommended you appoint a Data Protection Officer (DPO), who can fulfil the following roles:
- Inform and advise the organisation and employees about their obligations under GDPR
- Monitor data compliance
- Manage internal data protection activities
- Train staff
- Conduct internal audits
- Be the point of contact for supervisory authorities and individuals whose data is being processed
How will GDPR affect your business?
There are a number of ways your business can easily fall foul of the GDPR rules if it doesn't adapt how it deals with customer data, such as:
Reporting data breaches
Before GDPR came in, businesses were under no time pressure to release details of data breaches, even to any individuals who might have been affected. This means there were cases where stories of malicious attacks and data leaks haven't been released until years after they happened, and even then, sometimes by accident.
But you now have 72 hours in which to report any data breaches to the relevant authorities as well as anyone put at risk by the breach. And if you have employees who work remotely, or use their own devices, you will need to put more stringent security measures in place.
The right to be forgotten
Any individuals who have data stored or processed by your business have the right to see and amend the personal data held on them and have it corrected where necessary. They can also have completely removed completely if:
- The data was unlawfully gathered.
- There’s no legitimate reason for that company to continue processing data.
- The data is no longer being used for the reason it was originally gathered.
Easy to understand contracts
Some businesses hide behind long-winded wording in contracts and speak in legalese so they can slip in ways they can use your data that you might not ordinarily agree to. This is no longer allowed, and your business must provide clearly-worded explanations and need your explicit consent to use your data.
How to get ready for GDPR
Here's how to make sure your business is fully compliant with GDPR:
- Make sure you and any relevant stakeholders are completely up to speed with the new rules.
- Carry out an audit of your current data-handling systems.
- Implement a data to log containing all the information that needs protection.
- Examine where and how you currently collect and process data.
- Work out the main risks to your data and work out ways to make systems more secure.
- Work out the best way to gain consent from your customers and clients.
- Continue to evaluate and update your systems.
- Create a contingency to deal with data breaches.