GDPR one month on: What next?

GDPR one month on: What next?
Gerrard Fisher
Gerrard FisherAstrid Data Protection Limited

Posted: Wed 27th Jun 2018

The General Data Protection Regulation (GDPR) came into force a month ago. Gerrard Fisher, Enterprise Nation adviser member and managing director of Astrid Data Protection, looks at what small businesses have been doing to adapt to the new regulations, and the common issues they've been facing.

25 May came and went, the world didn't end and the GDPR ship has sailed.

GDPR sees individuals gain greater control over their personal data and businesses made more accountable for their data processing activities.

Some small businesses have already taken steps to get their systems in order but in the calm after the storm, many entrepreneurs are left wondering whether they really need to spend valuable time and resources to become GDPR compliant now.

What have small businesses been doing about it since 25 May, and what common questions do they have?

What is GDPR really about? You and your personal data

Think about you and your own personal data.

Somewhere, people are keeping records on your identity, address, credit rating, health and lots more besides. It might be your doctor, a physiotherapist, your bank, a solicitor, a retailer or a tradesperson.

Some of that information could cause you distress if it was seen by other people, got published, got deleted or is just plain wrong. Wouldn't you like to know that your information is being looked after properly?

Last year, a survey by the Open Data Institute found a third of us trust companies more with our personal information when they explain clearly what they are doing with it.

Protecting customers' data is a great way to show that you are trustworthy and that you care about them. It can differentiate you from any competitors who treat customer information in a haphazard way.

There are still many businesses in the dark about GDPR

Many of the 5.5m small businesses in the UK will have obligations under GDPR but the ICO's register of data controllers shows that only 530,000 businesses and organisations have paid their data controller's Fee.

This suggests that many businesses are either unaware of the need to get GDPR compliant, or they're not getting the right information and don't understand their responsibilities under the new law.

We meet some businesses that think GDPR is just a one-off thing, like the millennium bug, and that it will go away.

Don't be fooled! If you get asked about protecting personal data you will need to show what you've done to assess impacts and risks, and actions you've taken to safeguard privacy.

Common questions and issues

Consent: The most common question I get asked is about the 'lawful basis' for processing. You probably remember the 'dash for consent' emails that you received in the run-up to 25 May, when organisations asked you to confirm you wanted to hear from them again.

Consent is not the only lawful basis your business can use. In fact, for many businesses it is probably the wrong basis to use for much of what they do. You need to pay your employees because you agreed to do that in their employment contract, so you shouldn't be asking for their consent to hold their bank account details and pay them!

Using data processors: I also get questions about data processors and how their work must be controlled. A data processor could include your bookkeeper, delivery company or many other businesses that you work with. The new law is clear on the need for having a 'data processor agreement' in place to ensure your suppliers only use the information you pass to them to deliver the services you need.

Training: I also hear from businesses concerned about training their staff on GDPR. While you may only need one or two people who lead your company's compliance, it's important that all staff who handle personal information understand why and how to protect it, how to handle a 'subject request' and what to do if they find or cause a personal data breach.

Common causes of problems

The Information Commissioner's Office (ICO) regularly publishes information and statistics on data protection.

Keeping an eye on this can help us all understand how to better protect personal information. For example, in the health sector, around 80% of data breaches in the last quarter were simply emailing or sending information to the wrong person or leaving it somewhere by accident. How often have you done that?

The threats from non-compliance with GDPR

Small businesses largely face three common threats around personal data:

  • A customer or employee makes a request to see, correct or delete their personal data.
    If you receive a 'subject request' you are required under GDPR to respond accordingly within 30 days. This won't be easy if you don't know exactly what data you hold, who in and outside of your business holds it for you and where all they store it.

  • A business client has asked for evidence of GDPR compliance in the company.
    For many larger businesses and public sector organisations, GDPR compliance is business critical. If you are part of their supply chain, their compliance will rely on your compliance. They are likely to want to know that you are complying and see evidence of the measures you have taken.

  • You have a data breach.
    This could be as simple as emailing the wrong person, leaving a document on the train, losing a phone or something more complex, like falling for a phishing email or being subject to hacking. You must log data breaches and, where serious, report it to the UK regulator, the Information Commissioner's Office within 72 hours. Whether a breach is reported or not, you need to investigate and take appropriate measures to rectify a breach and take steps to prevent it happening again.

If you have good data protection measures in place, these things can all be dealt with easily. If you don't, it can lead to pain and hard work for you and your business.

GDPR isn't a box-ticking exercise; it's about handling other people's personal information with the same care and respect that you'd like other people to use when they work with your personal data.

If you have any questions about GDPR and you're an Enterprise Nation member, check out this Q&A where several experts are answering burning questions that small businesses have.

Gerrard Fisher
Gerrard FisherAstrid Data Protection Limited
I'm an expert in GDPR and run a small business GDPR compliance service called Astrid. Our aim is to help the compliance process as simple as possible for micro and small businesses, we do this through our simple step-by-step guidance and template system. Astrid also provides training for staff in short, bite-sized videos. What drives me? Helping businesses protect the sensitive personal data of their employees and customers. Many people don't understand how important personal data protection is, and the impacts on their reputation if they get it wrong (Cambridge Analytica, anyone?)   I also consult on business model change for sustainability (sometimes this is called circular economy), helping companies to get more revenue and profit out of their existing production capacity by reusing and remanufacturing their products to access new markets and customers. What connects the two? If you eradicate data from old devices you can sell and reuse them!

You might also like…

Get business support right to your inbox

Subscribe to our newsletter to receive business tips, learn about new funding programmes, join upcoming events, take e-learning courses, and more.