The General Data Protection Regulation (GDPR) for small business can seem quite daunting. Aisling will be discussing it with Ronan Berry of Midlands 103’s ‘Taking Care of Business’ tomorrow night. Ala the Millennium Bug of 1999, there’s a bit of scaremongering going on with some business owners really panicked now. Whilst it is a serious issue, this article will hopefully provide you with some practical tips on how to get your small business ready for GDPR on May 25th, 2018.
What is the General Data Protection Regulation (GDPR) about?
The Data Protection Commissioner of Ireland states that it;
“emphasises transparency, security and accountability by data controllers and processors”.
And that this is the first step with regard to data privacy for individuals. It’s about strengthening the rights of European citizens to data privacy, so as to avoid things like their data being sold, being bombarded with advertising etc. It’s about data protection. If you are already compliant with the current Data Protection Act, then you are actually 2/3 of the way there now with the GDPR regulations. In fact, really you could look at it as what is considered best practice up to now will become the law on the 25th of May. The changes to the legislation now give more powers to the individual. They can now take action (more easily) if their data privacy has been infringed. So you must have some sort of procedure in place to help you deal with any possible impact from that. You also have to keep service users fully informed as to how you use their data.
Where do I start?
It’s basically another page to your Standard Operating Procedures, that documents the categories of data and data subjects you keep, the elements of personal data you keep within each category, the source of that personal data, the purposes for which the personal data is being processed, the legal basis for each processing purpose, any special categories, the retention period for which you will keep that data. Once you have looked at those, then document what action you need to take to be GDPR compliant.
Record how you store your data, how is it secured, can third parties access it? If so, what measures do they have in place? You also need to remember to put a plan in place for a data breach. This can happen as simply as someone within the company accidentally forwarding an email to you which contains data you don’t need at all, and which could be sensitive. The accountability bit needs to be relayed to all of your staff so that they understand what can happen should they breach confidentiality in any way. In our case, it’s standard practice that everyone who works for us signs a confidentiality agreement and understands the implications of breaching it.
GDPR check List
- Make a list of all personal data you hold.
- Do you still need to hold all of the data? Only collect data that you need.
- Is it safe? Is it secure? Is it encrypted? – (a quick search in Google will return lots of data encryption services for small business). At its basic level, if a file is password protected, it’s a very simple basic form of encryption.
- Whether you are on a PC or a Mac you can encrypt data. On a PC, you can do it by going to Control Panel, Security and clickin on Bit locker. On a Mac, go to Applications, Disk Utility, select files/folders to encrypt.
- If you store data in the cloud, it is already encrypted as it has to be under current legislation.
- Can it be accessed by anyone other than you? Why is that, and how do you keep it safe from breaches?
- If you use a USB key then get one that can be encrypted ie IronKey, ScanDisk.
- Have you a procedure in place that deals with a data breach. So what happens in the business if someone gets access to data that shouldn’t?
- Emails can be encrypted. They are already if you use Gmail (or you can use the Chrome Extension – SecureGmail,). Microsoft Office uses Azure Rights Management.
- One of the new things to note is that if someone looks for access to information kept by them, it must be dealt with within 1 month. How will you handle that? Put a procedure in place to document. You must reply to any requests for data within 72 hours. Rights for consumers under the GDPR have expanded further. Rights for individuals under the GDPR include subject access, to have inaccuracies corrected, to have information erased, to object to direct marketing, to restrict the processing of their information, including automated decision-making and data portability.
- If you use an email service like MailChimp, make sure you state at the bottom of the email how you got the customer details, why you are sending the email and giving the option to unsubscribe.
- Only keep their data as long as they are interested in your services/products/business.
Download the GDPR checklist by clicking on the image below.
You can access further information on the Data Protection website.