We’ve already talked about how, on 25 May 2018, the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998. In case you missed it, this is to make data collection rules consistent across the EU.
Regardless of what happens with Brexit, it’s important to note that GDPR still applies if a non-EU company processes the personal data of anyone living in the EU. And it affects all businesses, meaning GDPR for small businesses is a reality, just as much as it is for large corporations.
With large fines promised for those who don't comply with the new regulation, it’s a good idea to know where you stand. Particularly as one of the biggest considerations is making sure ‘sensitive data’ is handled correctly.
Of course, knowing what is and isn’t ‘sensitive data’ is the first thing to be clear about.
Do I hold potentially sensitive data?
Never before have we shared so much personal data with businesses. Never before have businesses placed so much value on this data. And never before have more companies collected and stored sensitive data without knowing it.
Let’s look at a few examples:
- A virtual assistant helps a client with a direct mail campaign and holds data including home addresses, employer and work addresses, age groups etc. This is stored in the cloud and then shared with a distribution company that sends the mail. GDPR says explicit consent for both parties to use this information is needed.
- Past and present personal data in HR records is a potential target for hackers, and it’s your responsibility to make sure it’s absolutely secure. Any third party request to access this information is subject to the employee (or ex-employee) giving consent.
- Health professionals such as physiotherapists and chiropractors through to homeopaths and reflexologists might ask patients to complete a form about their wellbeing prior to treatment. If this information isn’t stored in line with the new data regulations, it could be in breach of them.
In fact, any company or individual providing marketing, IT, accountancy or other business support may have access to a wealth of client and customer data. GDPR says this now needs to be collected, stored and protected in specific ways in case of a breach.
Breach club
While everyone’s talking about high-profile hacks and attacks (and sadly these are genuine threats), cyber breaches come in all shapes and sizes.
A member of staff accidentally leaving a laptop containing customer data on a train could leave your business vulnerable. Similarly, a disgruntled member of staff could access data that they shouldn’t. Data can also be deleted or lost from something as innocuous as a power outage, causing an IT system to fail.
The point is that most businesses hold some sort of data that could be lost, changed or viewed without authorisation. Businesses ignoring the GDPR do so at their peril.
How can I prepare a GDPR for small businesses data protection strategy?
The GDPR requires that larger businesses or public authorities carrying out large-scale data handling appoint a Data Protection Officer. While GDPR for small businesses doesn't demand the same, it’s good practice to make sure data handling is a specific person’s job. That person then has responsibility for the following:
- Carrying out data protection impact assessments to determine what kind of personal information has been, is being or will be collected. Also the collection method, how it’s used, transferred and stored, why it might be shared and how it’s protected.
- Carrying out regular internal audits of data collection and storage processes, making amendments where necessary.
- Making sure all staff are up-to-date with data protection training and that new joiners are aware of and understand processes and procedures.
- Taking a view on any new technology, software and marketing initiatives to ensure they comply with GDPR.
- Forming a crisis group before you need one. Specific people trained to take the lead if the worst happens can help reduce the impact on your business.
Get in line
GDPR for small businesses is here to stay. Ignore it at your peril.
The harsh reality is that failure to plan for and comply with the new regulations could mean much more than a slap on the wrist. There are tough new penalties of up to 4% of your annual revenue or €20m. And that’s before the potential damage to your business’s reputation and indirect loss of income, too.
Can you afford to not be ready?
Image used under license from Shutterstock.
accountantscyber liability insuranceIT and technologymarketing and advertisingrules and regulationsrunning a business