I know what you’re thinking. Oh no – not another GDPR blog! But we’re almost in single digit countdown now, which means a lot of business owners have been running around for months now trying to work out what GDPR means and how they should handle it. But for some business owners, GDPR is still a complete mystery. So today, we’re going to go through some of the key principles of GDPR, and what you as an SME should be doing right now to prepare for it.
What’s It All About?
While GDPR might sound complicated, it’s really only based around 2 key principles:
- Giving citizens and residents of the EU more control over their personal data.
- Simplifying regulations for international businesses with a single, unifying regulation that stands across the entire EU.
This means that GPDR will impact any business that processes the personal data of EU citizens, regardless of where the company themselves is based. It’s also worth noting that the UK government has already committed to bringing in GDPR to UK law, so even if Brexit does go ahead, GDPR will still apply. The entire regulation is designed to enhance the safety and security of citizens personal data, and ensure that consent has been given for data to be used.
In practical terms, GDPR means that businesses need to be completely transparent when it comes to collecting, processing, storing and deleting personal data. You will need to collect express consent to gather it, know where it is being stored, ensure its safety and be able to erase it completely if requested (thanks to the ‘right to be forgotten’ clause). Individuals will now have more rights and enhanced knowledge when it comes to their data, and your business needs processes in place to handle an influx of data requests.
What Can I Do To Prepare?
That’s all well and good, but what can you do to prepare for GDPR? Well, we have a few tips for you:
Know Your Data: You can’t possibly mange your data if you don’t know where it is, so now is the time to do a full data audit. Under GDPR, you will need to demonstrate an understanding of all the types of personal data you store (for example names, phone numbers, photos, IP addresses), where it came from, where you store it and how it’s being used.
Identify Whether You’re Relying On Consent To Process Personal Data: GDPR turns the current rules about consent on their head. So now, instead of ‘opt out if you don’t want us to store your data’, you need to be operating on ‘opt in only’. If you’re relying for consent to use data (for example as part of your marketing), then these activities are about to become harder. You now need to be able to prove that consent was given, and it needs to be clear and specific.
Look At Security Measures And Policies: Data security is another big one for GDPR. You will need to update your security measures and policies to include GDPR, and if you don’t have anything in place, you will need to create it from scratch. If in doubt – broad encryption across the board is a good way to reduce the likelihood of a penalty if there is a breach.
Prepare To Meet Access Requests Within A One-Month Timeframe: Anyone who you hold personal data on will soon be able to ask you to produce it for them, and delete any or even all of it if they want. You are expected to do this in a reasonable and timely manner, so it’s worth setting yourself an expectation. Ideally, you should be responding to these requests within a one month period.
Make Everyone Aware: Awareness is key when it comes to preventing data breaches, so make sure your employees know what they’re doing. This includes GDPR training, breach reporting protocol and any other data handling processes you want to put into place. The biggest security risk to data is people – so make sure yours are on the lookout.
Create Fair Processing Notices: Under GDPR, you will be required to describe to individuals what you’re doing with their personal data. To make this easier for you, consider creating a ‘fair processing notice’ as a template that you can send to everyone.
Decide If You Need A Data Protection Officer: Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data’ (which is any data that could be considered highly sensitive) you must employ a Data Protection Officer (DPO).
At Your HR Consultant, we understand just how much of a headache GDPR is proving to be for many smaller business owners. But the good news is, you don’t have to do it alone. There are a lot of experts out there who can help support you through your GDPR compliance journey, as well as a load of free resources available (like this checklist) to guide you through it. For our part, we are working with SME owners to help them understand their policies, create documentation to back them up and even training managers on how to handle GDPR when it comes to employees. If you’d like to know more, or just want some advice, please just get in touch.