What does this mean to you?
What do you know about this?
Will you be compliant by 25th May 2018?
Firstly, did you know that GDPR stands for General Data Protection Regulation? This was formally and finally approved by the EU Government on 14 April 2016. As noted on the GDPR main website, this new regulation was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
But what does this mean for you and your business?
So after 2 years, each business owner in the UK (as we are still part of the EU community) should be prepared (or at least preparing) to complete the steps to get their business compliant before 25th May 2018. Here are some steps and information to get you started in your business. Remember, this affects all businesses – whether home-based and small business through to large corporates. It doesn’t matter the size of your business but it is important to know that if you and your business work within the EU with EU / UK customers, clients, suppliers, employees and sub-contractors then you need to comply with these new regulations.
What sort of Data do you hold?
Start working out now what personal data you currently hold for your customers, clients, suppliers, employees, sub-contractors. This data includes:
- Email details
- Phone numbers
- Bank details
- Health details
- Emergency contact details
- Religious beliefs
All personal data should be accurate and kept up to date.
Why do you hold this data?
There are numerous reasons you may hold this data. For employees, obviously you require data for payment of salaries, tax purposes, emergency contact and more. For customers and clients, you may hold their details for contact purposes. It is also important to ensure that you know why you hold the specific personal data you hold. Data should only be held for as long as is required by your business and remains relevant to the clients, customer, supplier or employee.
How do you use the data?
Is it used for marketing purposes? If so, have your customers and clients provided you with express confirmation that they are happy to receive your marketing communications? If not this is something you need to ensure you receive. See below. If you store bank details etc are they secured?
Who has responsibility for the data you hold?
Normally there will be someone who has overall charge of the personal data you hold for your customers, clients, suppliers and employees. Identify who this is for those you hold personal data for. If you are a small business and do not hold large-scale personal data such as travel agents, schools or hospitals, you may not need to employ a Data Protection Officer (DPO), although employing someone to handle the compliance with GDPR can be a handy resource for a small business.
Who has access to the personal data stored by your business?
Although someone will hold ultimate responsibility for the security of the personal data held by your business, there will be staff who have access to this data. A list of all staff should be made outlining what access they have and this should be made available to your clients, customers, suppliers, employees and sub-contractors if asked. Staff should be trained in what constitutes a personal data breach, processes by your business in terms of uploading, access and security. Any mistakes by any staff member must be reported to the Data Protection Officer or person who is responsible for the personal data held by your business.
What security is in place to keep personal data secure?
Obviously, this is one of the most important aspects of personal data held by you. How do you keep personal data secure? Is it password protected? The use of Encryption is the most effective way ensure that data is kept secure. Data must be processed in a manner that ensures complete security including protection against unauthorised or unlawful processing, accidental loss, destruction and/or damage of the data.
YOU CAN USE THIS SELF-ASSESSMENT TOOL TO SEE IF YOU ARE GDPR READY
USING INFORMATION COMMISSIONER’S SITE
GDPR and your customers
All data must be processed by your business lawfully and in a transparent manner. Any data must only be collected for specified and for the purpose your business requires it for. Data should be easily accessible for individuals who you hold data for. Any access to their data must be provided within 1 month of their request.