In a recent GDPR survey almost 80% of SME’s admit they are not ready or don’t understand GDPR, don’t be one of these and risk your business.
The new Data Protection Act 2018, which governs how businesses must protect the personal information of EU citizens, is now live.
While some SMEs think they can fly under the regulation radar, the truth is that companies of every size – not just corporations – must be GDPR ready.
This is because the new Data Protection Act 2018 which is the legislation which brought the General Data Protection Regulation (GDPR) into UK Law, is not simply a rebranding of the existing Data Protection Act, but a major overhaul.
The old laws were well past their sell-by date. GDPR aims to make sure we are all protecting the personal data we collect, so ignoring this legislation represents a very real risk to your business. Here’s my five SME strategies for being GDPR ready.
GDPR ready – an opportunity to get ahead
All businesses, including SMEs, are likely to collect and share information about EU citizens. They can be part of other, larger companies’ supply chains and are expected to comply with their customers’ standards of information management.
An investment in being GDPR ready and meeting the higher standards of data management brings benefits for every business. When you help your client to protect their customers’ data, this builds greater levels of trust. In the long run, if you make compliance part of your everyday ‘business as usual’, you will be at a distinct advantage over businesses which cannot adapt to meeting GDPR standards – or the evolving standards of their customers.
Companies which understand and accommodate these new rules will also enjoy more accurate data, better cybersecurity and other competitive advantages in the long run.
What’s in your data?
All companies, regardless of size, store and handle personal data, and so are subject to GDPR rules. But it’s important to consider that GDPR differentiates between ‘personal data’ required for business activities, such as that used in billing, and ‘sensitive personal data’ – which is often collected, but not actually required by a business as it fulfils its contract with the customer. Sensitive personal data poses more risks under GDPR and includes political affiliations, sexual orientation, medical history and family details.
Organisations other than Government or Health, for example, must have specific, justifiable reasons to collect and process sensitive personal data. These may relate to a record of criminal convictions when working with children or the employment of individuals with specific medical needs. The GDPR lists 10 specific conditions; to justify processing sensitive data, at least one must be met.
GDPR aims to make sure we are all protecting the personal data we collect.
Five SME strategies for being GDPR ready
1. Get your people up to speed. Ensure everyone in your organisation understands the principles of GDPR, how it affects the data they handle and the policy and procedures you have in place. From May, anyone can call your organisation and ask for specific information you might hold on them. Make sure you have a process in place and your employees know what to do.
2. Review your contracts. Do you outsource payroll, marketing or computer systems? It’s time to check that your external partners are taking GDPR seriously.
3. Do a data audit. Look at what data you hold – and why. Record the steps you take to be compliant, including installing data security and refreshing information to maintain accuracy. Only collect and store the minimum amount of personal information necessary for your intended purpose (and if your legal basis is customer consent this must be recorded). And retain it for no longer than is necessary.
4. Be transparent. Explain why you collect data and where you’re sharing it – as well as how people can contact you if they have requests or concerns. This will help inspire confidence and trust with your customers.
5. And when something goes wrong… Know what you will do in the event of a data breach or information request and make sure your people are fully trained. Having a plan in place will ensure you can comply with the timescales set and save your business time and reputational damage.
Assess your GDPR compliance
If you would like to assess your GDPR compliance to see if your business is GDPR ready, why not try our Readiness Assessment at https://gdpr.seer-i.com. Or alternatively for more advice and support contact your local Haines Watts office.
May 29, 2018
The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018, along with most of the provisions in a new Data Protection Act 2018 (including those provisions relevant to processing in the employment relationship). The previous Data
April 04, 2018
The new data protection regulations become law on 25 May 2018. The new provisions known as the General Data Protection Regulation (GDPR) represent a step change in data protection regulation, that will impose.
We have lots more content on “GDPR”. Follow this link to read on….
Find and contact your local Haines Watts office