If May 25th 2018 wasn’t in your diary before, it absolutely should be now, with the introduction of GDPR for small businesses.
For someone starting a small business, brand new European regulations on data processing might be the last thing on your mind, and yet, GDPR is the biggest overhaul of data protection rules in a generation, with major penalties for non-compliance, and it affects us all, whether we hold data on a database, on a spreadsheet, on a phone, or anywhere else. We’ve tried to interpret the new guidelines as best we can, for small businesses…
So what does it mean?
Well, in short, the General Data Protection Regulation (GDPR) gives consumers, donors, citizens, much more control over how their data is used and processed. As a small business, you will be expected to assess the risk posed to you keeping and processing the data of anyone who you keep information of any sort on. You will be expected to protect data, and to prove you have consent for using data for specific purposes.
Whilst exemptions exist for bureaucratic record keeping for GDPR for small businesses (under 250 employees, and not processing massive amounts of data that can identify an individual), you will still be expected to comply. Failure to comply can now bring on fines of a maximum £20,000,000.
What should I do to prepare my small business?
- Opt-outs for marketing materials are invalid under GDPR. So check your consents for contacting customers via email, post, text marketing. If they have not given explicit consent (checked a tick box that sets out exactly how their data will be used… pre-ticked boxes are not considered consent under GDPR), and you send any form of marketing materials out to them, you are not compliant. Make sure any tick box for consent on forms of any kind, are clear in their aims, and thoroughly set out how the data will be used.
- Keep all evidence of consents given, and offer easy ways to opt-out once consent is given.
- Read the ICO’s guidelines on consent.
- Read The ICO’s guidelines on Privacy Notices that you must have.
- If you already send marketing material out and you don’t have consents compliant with GDPR… make sure you get those consents prior to May 2018.
- Have a clear policy in place, in order to be able to explain why you’re collecting or holding certain data, how it is used, and how you can prove it was consented.
- Have a policy in place for dealing with data requests. Under GDPR individuals have the right to request the data you hold on them, request changes, and they have the right to be forgotten. These should be dealt with immediately, and proven.
- Understand that if you have data on someone who has consented to – for example – marketing materials from you on Christmas sales that you might have, you do not have consent to send them marketing materials on anything else. You can only process their data for what they have specifically given consent for.
- Have a plan in place in the event of a breach of data protection. You must report a breach within 72 hours of first becoming aware.
- It may be worth appointing a DPO (Data Protection Officer). Perhaps not as a full time employee, but perhaps outsourced, to check your compliance.
What about Brexit?
With GDPR being a European Union law, you may think that leaving the EU may mean that GDPR will not apply to UK companies after 2019. This isn’t the case. Not only will GDPR be replicated into UK law when we leave the EU, it also affects any companies that keep & process the data of EU Citizens.
It’s not all worrying!
It is no surprise that GDPR is a frightening prospect for many big organisations, charities, businesses, and so GDPR for small businesses is bound to be a scary thought. But it can also be a blessing. If you have a solid GDPR strategy in place, if you read guidelines, and be able to demonstrate that your consents are GDPR compliant and gathered for a very specific, and secure reason, it actually reflects highly on the quality and security of your business practices, it lets your customers know that you take the security and use of their data seriously, it adds credibility, and by extension it adds value.
The full text of the GDPR can be viewed here.