Introduced on 25th May 2018, the GDPR provides an update to the Data Protection Act which was introduced into law in 1995.
The new rules aimed to make companies throughout Europe more conscious of the significance of appropriately storing and handling data, in addition to encouraging the responsible use of that data. It additionally clarified that business are ‘in custody’ of data – they are not owners of it.
The new regulation introduces considerably heavier fines for mishandling data or for data breaches – as much as €20,000,000, or 4% of global turnover (whichever is greater) – placing the duty on businesses to make sure their methods and processes are adequate. In addition, breaches have to be reported to the Information Commissioner’s Office inside of 72 hours.
Fines on that scale will clearly act to discourage multinational companies from mishandling data, however they arguably pose a much bigger risk to SMEs.
Ultimately, companies should do all that they can do to be sure that their methods and processes are sufficient for the GDPRrules. Otherwise, they risk financial and reputational harm.
To assist small business owners to remain compliant with GDPR rules, our specialists have pulled together these top suggestions…
1. Perform a regular data audit
Performing regular data audit thoroughly allows you to evaluate and re-evalute your current situation. Current procedures needs to be compared against the GDPR framework and if needed, hire a professional to provide the official line on what you need to, or maybe extra importantly, shouldn’t, be doing.
2. Always ask more questions
Make sure that you have specific permission from the relevant individuals to store and use their data. This means that customers must actively opt-in to you using their data, rather than your business operating with the assumption that implied consent is adequate.
With the emphasis on custody of data rather than on ownership, small companies must be extra cautious about how they use and disclose data, in addition to making it clear what customers are agreeing to. By including explanations and opt-in boxes on data collection forms, you should be covered.
Businesses should be extra transparent about what data is used for, why, and how long it is stored for. If customers opt-out – assuming there is nothing needed for transactional purposes – then all information petaining to that customer should be deleted permanently.
3. Evaluate and improve your security (specially on-line)
One of the best methods to make sure that data is stored securely is to maintain it in one location – ideally a secure server.
Duplicated data is messy, and it could trigger huge issues for businesses. Limit the danger of dispersed data and be sure that any paperwork containing personal information are not stored on desktops where they are easily accessible. Basic IT security – locking computers while away from them, password protecting files, robust anti-virus protections, etc – is strongly advisable.
Make sure, too, that you just cease sharing data via inappropriate channels. If you’re communicating customer data via WhatsApp, Facebook or other platforms, it’s easy to lose track of it, and it could possibly be discovered by or accidently shared with others.
Having data in a single central location means, in principle, that it will likely be simpler to handle responsibly. This is also something to keep in mind for your use of technology – in case your staff are utilising personal smartphones for work purposes, they could possibly be inadvertently breaching data guidelines. Get a policy in place in order that they understand how they need to be utilising data and understand the implications.
4. Investigate all of your communication channels
On the topic of social channels, you will likely have to rethink the role that social channels play in your small business.
If you handle customer enquiries and provide customer support via social media, you should consider carefully about how to make sure information is securely transmitted.
Additionally, think about how long that data stays there for, and who has access to the account, in addition to being conscious of phishing methods. Never disclose data if the particular person asking for it is unable to verify. Remember to delete any threads once completed.
It’s worth drafting up some tips on the way you and your staff should approach these issues and if not already, getting used to them.
With a no-excuses approach, you can ensure your organisation adheres to data governance practices and is protected, while making certain your customers are protected, too.