What is GDPR (General Data Protection Regulation)?
GDPR is great for you as an individual and an opportunity for your business
What is GDPR and what does it mean? GDPR is the evolution of the old Data Protection Act. It’s an EU regulation that the UK were instrumental in drafting and it is replacing the Data Protection Act, regardless of Brexit.
GDPR applies to any business that holds information on any EU citizen, regardless of where the person resides or where the business is based.
It applies to any company anywhere in the world that holds data on an EU citizen. Whether it’s google, facebook, amazon, john lewis, your local shop or your acupuncturist, they all have to allow us access to our data.
At its core what is GDPR is pretty straight forward. Its objective is to protect us as individuals and ensure that companies are transparent about the data they hold on us, why they need it and who they share it with.
As it stands right now, we often have no idea what these companies know about us or what they do with this information or who they share it with. What GDPR does is it puts people first.
GDPR allows us to see what personal information companies hold on us and what they do with it. We also have the right to be erased off their systems.
What is GDPR to small businesses?
GDPR necessitates that small businesses as well as larger ones keep accurate records of their customers and staff.
Small businesses must also protect this data by ensuring their IT security is properly managed and that the data is encrypted and backed up.
Businesses must be able to provide their customers and staff a copy of this information in digital format and erase it if requested.
GDPR will be enforced with heavy fines of up to 4% of global turnover. Not profit. Global turnover!
None of this is bad news for small businesses though. What small businesses need to do to comply with GDPR will also make them more secure, efficient and productive. All businesses should be doing these things anyway.
In the end, GDPR is a win for everyone!
How does a small business become GDPR compliant?
Any business of any size that holds any information on a customer must be compliant – including name, email address or phone number, basically, it applies to all businesses. So what is GDPR for small businesses?
The most important thing is to be able to demonstrate that your business takes GDPR seriously and has taken measures in order to comply. If you have done this, even if there is a breach of some sort, then the ICO (Information Commissioners Office) is less likely to come down hard on you.
To use a straight forward analogy. You can put great locks on your house, install an alarm and have a guard dog – but your house may still be broken into. You did what you could reasonably do and you will not be held at fault for carelessness. It’s the same with GDPR.
In a nutshell, there are a few key areas that small businesses need to address to be GDPR compliant. The good news is that they are things that all businesses should be doing anyway.
GDPR is a great opportunity for SME’s to meet their legal obligations AND streamline their systems and processes.
- Security – Your IT systems need to be secure, including laptops, tablets and mobile phones.
- Encrypted Backup – Data you hold must be encrypted and automatically backed up.
- Client Access – If a client wants to see the information you hold on them you must be able to provide it in an industry standard digital format that allows them to re-use it elsewhere.
- Right to be Erased (or information rectified) – If a client wants to be deleted from your systems, you need to be able to do it, as well as amend their details if so requested.
- OPT IN and Consent – Opt out will no longer be valid. People must give their consent by choosing to opt in. Boxes can no longer be ticked in advance and confusing language used so that people don’t know what ticking the box actually means. This will be over on May 25.
- Cookies, Privacy Policies and T&C‘s – These will need updating as well. They need to be clear to read and easy to understand. They must specify why collected information is needed, who it’s shared with and must be for relevant and legitimate purposes.
- Notification – The ICO, customers and staff need to be informed of any data breaches within 72 hours.
- Ongoing compliance – Once these systems are in place, you need to ensure they stay in place.
Special offer, go annual, only £9.99 a month