GDPR: The regulatory elephant in the room you need to be ready for
Posted: Mon 12th Mar 2018
You may have heard about the impending introduction of the EU's General Data Protection Regulation (GDPR) but are you ready? Simon Willies, head of commercial at Currys PC World Business, a supporter of the Go and Grow Online campaign, explains how to make sure you're fully prepared for the rules coming into effect on 25 May 2018.
Firstly, and most importantly, don't panic!
You have time; the regulation doesn't come into effect for more than two months, meaning you have a good opportunity to get your house in order.
However, don't get complacent. Failure to follow GDPR could prove costly, with fines for breaching regulation reaching up to €20m or 4% of the company's global annual turnover, whichever is greater.
The first rule of GDPR, therefore, is that no business, big or small, can afford to ignore it.
So, how can you make sure your small business is playing by the book?
The six fundamentals of GDPR success
GDPR is centred on protecting consumer rights and ensuring their data is properly protected by the organisation to whom it has been entrusted. The legislation is built upon six fundamentals that any small business must become familiar with:
Data must be collected for a specific reason
All data must be processed fairly
Its usage should be limited to relevant processes only
All data should be up to date and accurate
It must not be retained for longer than is necessary
It must be protected by sufficient security measures
Understanding these areas is crucial, and your organisation must act to ensure they remain within the law:
Carry out an audit:
You'll often be surprised by how much data you have on file, especially if you're a small business that's been up and running for several years.
If you're going to protect your data, you need to know what you have. Outdated data, or information that's no longer relevant needs to be removed from your systems if you're to comply with GDPR.
If your company employs more than 250 individuals you are required to maintain a record of all your organisation's personal data processing activities internally, and to make them available to the regulator upon request.
Check-in with your suppliers:
Another important part of the audit process is checking that your suppliers are also compliant and that your contracts with them are futureproof.
Many SMEs work with an entire network of third party suppliers, but you will still be liable if they fail to protect your data in an adequate fashion. That means that you need to include specific requirements in your contracts with your suppliers.
For example, in the event of a data breach, your supplier is required to notify you without undue delay after becoming aware of the breach.
More generally there needs to be a set of written terms requiring the supplier to demonstrate their own compliance with the GDPR and support you in relation to data protection matters.
You should be thinking about:
Identifying existing contracts with suppliers and ensuring a data processing agreement is put in place which complies with the specific GDPR contractual requirements
Ensuring suppliers are reviewing their own data security
Create a paper trail and classify it:
By having a record of all data you've collected, you'll be able to provide evidence that you're compliant, and even if you have a small breach, you'll be able to quickly rectify it.
You also need to make sure any personal information is classified accordingly, so you know which pieces of data you're storing need the most protection.
Remember your customers and colleagues are entitled to copies of information you hold about them and, in some instances, to require you to erase the information. To do so you first of all need to know where your information is!
Spread the word:
It's crucial that all your team are conscious of the changes coming into place. Make sure you've explained to them what's happening, when and why.
It's also important to have a clear Data Protection policy regarding how you handle and store personal data across your organisation, so you can be sure everyone is on the same page.
Keep up the training. Make sure your staff practices good information security process, from using complex passwords, to changing them frequently, and not sharing these passwords with other colleagues or unauthorised persons.
You should treat your customer and employee information in the same way that you would treat your own information. You wouldn't leave your bank statement, or passport lying around, would you?
Be tech ready:
It's all well and good having the theory, processes, and people on board with GDPR, but if your tech isn't up to the job you could find yourself in serious trouble.
Take the time to check that all your devices are encrypted with the latest security software, so you can rest assured that your data is protected.
Review the way in which you collect, store and destroy documents which might include information on your customers or employees. Some questions you might consider asking yourself:
Is our premises secure from outside intruders? E.g. CCTV, alarms etc
Are paper documents held securely in locked cabinets? As an alternative, can we scan any paper documents and hold these electronically?
Are visitors required to sign in and wear and pass?
Do your co-workers operate a clear desk policy and tidy away sensitive documents when away from their desk?
Am I satisfied that my colleagues know how to detect a suspicious email (which may contain viruses designed to steal data from your PCs)?
Does my company dispose of such documents in confidential waste bins?
Keep up the good work:
GDPR isn't about ticking boxes and forgetting about it, it's something you're always going to need to be aware of, so make sure to continue testing, monitoring, and bettering your processes.
Dedicating a little time each month to check you're compliant, could save you a big head ache when it comes to being audited.
Ultimately, SMEs needn't feel burdened by GDPR. There is plenty of time to get your house in order and for many of you, you'll need to make only a few minor changes to be compliant.
Just remember to document everything you're doing and keep your customer's rights at the heart of everything you do, that way you'll keep them, and the regulator, happy.
Currys PC World Business supports Enterprise Nation's Go and Grow Online campaign which encourages more businesses to get online and supports existing internet traders to grow through inspiring content and events. Get advice and book event tickets here.
Access hundreds of deals on the latest technology to keep you connected while working flexibly at Currys PC World Business.