What the EU General Data Protection Regulation Means For Your Small Business Feb 1, 2018Views: 868
On 25 May 2018 the EU General Data Protection Regulation (GDPR) comes into force. If your small business collects, stores and/or moves personal data of any sort this will impact on how you do this. If you’re not sure what constitutes ‘personal data’ check out this infographic. Here we take a look at some of the steps to take to make the transition to the new legal framework as smooth as possible.
Hopefully your business has already started the process of making any necessary changes to your processes. If not, then start now. Make sure everyone in your business is aware of the upcoming changes. You should then identify who within your company is a data controller and who is a data processor. The data controller is the person who identifies the purposes for which and the manner in which any personal data are, or are to be, processed. The data processor is, as the name suggests, any person who processes data. In practice for very small companies 1 person may carry out both roles. The data controller should then initiate a full audit of the way your company handles personal data.
Carry Out a Comprehensive Audit
Your audit should identify the mechanics you use for collecting personal data, how/where it’s stored, how you gain consent for data collection and use, how individuals can request you remove their data from your databases, and why you may still keep some data to ensure you don’t contact them again. Your audit will also need to identify your ‘lawful basis’ for processing data, and any third parties who handle data on your behalf. Large parts of the GDPR are concerned with companies showing due diligence and evidence of the steps they have taken to comply. This audit can help satisfy some of these requirements.
Gain Active Consent
However you gain consent from people for use of their personal data this needs to be active. No more pre-ticked boxes on websites, or ‘tick if you don’t want to hear from’ us sections on paper forms. You also need to make sure that you can prove how you gained consent. For online sign-up the easiest way to do this is to create a two-step process, such as requiring a response to an email (this would also be suitable where consent is gained on the phone). For a paper-based option best practice is to keep the original forms; securely of course.
Ensure Customers Know What They’re Agreeing to…
The GDPR refers to ‘unbundled consent’ which essentially means that you separate out the different things that customers may be signing-up to. So for example if you have terms & conditions that you require customers to agree and you also want to ask for consent to send marketing information, this should be done separately. In addition consent should be ‘granular’ – for example asking for permission to use each different channel you may use (email, post, phone, etc.).
…and They Know How to Opt-out
Opt-out options should be clear and should reflect the way in which consent was gained. So if you asked, and gained, consent over the phone, you need to provide a phone number for people to ask for their details to be removed. You should also be aware that GDPR requires that data is removed from across your systems. However as with all aspects of GDPR this does not affect those situations where there is a separate legislative requirement for you to keep data.
Update Privacy Notices and Terms & Conditions
Your business will need to make sure your privacy notice, and terms and conditions are amended to reflect the changes that the GDPR brings in. The ICO have produced a helpful guide to this that gives clear examples of best practice.
Check Out Third Party Contractors and Systems
Your initial audit will have identified any third party companies who collect, process or hold personal data on your behalf. These could be companies that process online payments for you or organisations that you use to process your email marketing for example. Whoever they are it is your responsibility to confirm that they are also GDPR compliant. As with the rest of this process, you should also record the evidence that you have checked and that they are compliant.
What About 'Cold' Calling?
Again the key is due diligence. Whether you are contacting people via post, email or phone, you need to demonstrate why you are doing so. What is your legal basis? Direct marketing is considered a legitimate interest as far as the GDPR is concerned but you will stiil need to be able to show how you have collected data and how people can opt out.
Online Security and GDPR
Many of the steps above will ensure that your website is compliant with the EU General Data Protection Regulation. However there are some additional elements covering cookie law, as well as more general aspects of website security which you can find in our article about GDPR and your website.
One Last Thing
All of the time taken to do this will amount to nothing if your basic data protection processes are not adhered to. Why not take the implementation of the GDPR as an opportunity to remind everyone in your business of some of these basic requirements
- Keep passwords secure – don’t share them, change them regularly
- Secure all personal data securely whether electronic or paper-based
- Shred all confidential waste
- Make sure you lock or log off computers when you are away from them
- If you’re taking personal data out of the office, ensure it is encrypted
- Ensure everyone is aware of basic anti-virus precautions such as taking care when opening email attachments
- Make sure computer screens can’t be viewed by visitors/general public
You need to be logged in to comment