What is GDPR (General Data Protection Regulation)?
GDPR is great for you as an individual and an opportunity for your business
What is GDPR? GDPR is the evolution of the old Data Protection Act. It’s an EU regulation that the UK were instrumental in drafting and it is replacing the Data Protection Act, regardless of Brexit. GDPR stands for General Data Protection Regulation. GDPR comes into law on May 25, 2018.
GDPR applies to any business that holds information on any EU citizen, regardless of what country the person lives in or where the business is based.
It applies to any company anywhere in the world that holds data on an EU citizen. Whether it’s google, facebook, amazon, John Lewis, your local shop or your acupuncturist, they all have to allow us access to our data.
Many people are asking what is GDPR? At its core GDPR is pretty straight forward. Its objective is to protect us as individuals and ensure that companies are transparent about the data they hold on us, why they need it and who they share it with.
As it stands right now, we often have no idea what these companies know about us or what they do with this information or who they share it with. What GDPR does is it puts people first.
GDPR allows us to see what personal information companies hold on us and what they do with it. We also have the right to be erased off their systems.
What is GDPR to us?
Companies that hold our data must ensure that it is held securely. It’s pretty straight forward. The devices they use to access and store data or send emails must be secure, managed properly and run appropriate security software.
Companies need to back up our data securely and ensure it is encrypted. They need to keep our personal information safe.
Companies must let us see what information they hold on us, allow us to amend it, erase it and even export it for our own use. The format they give this data to us in has to be in an industry standard format, not something unique to them.
Companies must inform us why they collect information, what they do with this information and who they share it with. Unless data is necessary to the functioning of a service, we have the right at anytime to ‘opt-out’ and not provide or share this data about ourselves.
Privacy Policies – Cookies – Terms & Conditions (T&C’s)
Almost no one ever reads these things and to date we really don’t know what we’re agreeing to. Going forward, on the front page of company websites (where the cookie notice is now), companies will have to explain these policies and rules to us concisely and in plain English.
No more confusing options. Companies will have to gain our permission by us actively opting-in (ticking the box). All boxes will be un-ticked until we choose differently. And we can change our minds at anytime and opt-out.
What is GDPR to small businesses?
GDPR necessitates that all businesses, regardless of size, must abide by certain minimum standards in the protection and use of the personal information of customers and staff. The good news for small businesses is that GDPR simply isn’t as complicated for SME’s as it is for larger organisations.
By meeting the spirit of GDPR, not just will small businesses meet their GDPR compliance requirements but they will also protect their businesses, their customers, their staff and themselves.
Yes, non-compliance can be costly, up to 4% of global turnover. Not profit. Global turnover! Most small businesses don’t have global turnover though and GDPR is not meant to be a revenue generator – just an enforcement tool for non-compliance.
The steps small businesses need to take to comply with GDPR will make them more secure, efficient and productive. All businesses should be doing these things anyway.
In the end, GDPR is a win for everyone!
How does a small business become GDPR compliant?
What is GDPR to small businesses? Any business of any size that holds any information on a customer must be compliant – including name, email address or phone number, basically, it applies to all businesses. So what is GDPR for small businesses?
The most important thing is to be able to demonstrate that your business takes GDPR and EU data protection seriously and has taken measures in order to comply. If you have done this, even if there is a breach of some sort, then the ICO (Information Commissioners Office) is less likely to come down hard on you.
To use a straight forward analogy. You can put great locks on your house, install an alarm and have a guard dog – but your house may still be broken into. You did everything that you could reasonably do and you will not be held at fault for carelessness. It’s the same with GDPR.
As far as the GDPR and EU data regulation for small businesses it all boils down to two main points – Data Security and Data Organisation. In a nutshell, there are a few key areas that small businesses need to address to be GDPR compliant and prepared for the new EU data protection regulation. The good news is that they are things that all businesses should be doing anyway.
GDPR is a great opportunity for SME’s to meet their legal obligations AND streamline their systems and processes.
- Managed Security – secure your IT
- Devices – Your IT systems need to be secure, including computers, laptops, tablets and mobile phones.
- Encrypted Backup – Data you hold must be encrypted and automatically backed up.
- Data Organisation – where’s your data
- Client & Staff Access – If a client or staff member wants to see the information you hold on them you must be able to provide it in an industry standard digital format that allows them to re-use it elsewhere.
- Right to be Erased (or information rectified) – If a client or staff member wants to be deleted from your systems, you need to be able to do it, as well as amend their details if requested.
- Partners and Suppliers
- Themselves – Check that your partners and suppliers are GDPR compliant
- You – Ensure they enable you to be GDPR compliant as well.
- OPT IN and Consent – Opt out will no longer be valid. People must give their consent by choosing to opt in. Boxes can no longer be ticked in advance and confusing language used so that people don’t know what ticking the box actually means. This will be over on May 25.
- Cookies, Privacy Policies and T&C’s
- Update – These will need updating as well. They need to be clear to read and easy to understand.
- Explain – They must specify why collected information is needed, who it’s shared with and for what relevant and legitimate purposes.
- DPO (Digital Protection Officer) Process
- Preparation – Know what to do and where to do it
- Notification – The ICO, customers and staff need to be informed of any data breaches within 72 hours.
- Stay READY
- Ongoing compliance and processes – Once these systems are in place, you need to ensure they stay in place and that you have a system for handling data requests and data breaches.