The new General Data Protection Regulation (GDPR) means SMEs must reassess how they handle data – or risk paying the price.
Businesses already have a responsibility to form robust processes for handling people’s personal data, but the new General Data Protection Regulation (GDPR) demands an even more proactive approach. As of 25 May 2018, individuals will have greater control over their personal data – whether linked to them by name, or by other identifiers such as IP address.
Organisations must ensure they collect, use and store only information that they are legally entitled to.
Data duties are changing
The new regulation has been written with the individual at its heart. So, as well as requiring businesses to keep data secure, it gives individuals the right to request their data, as well as to amend or delete it.
SMEs must identify what data they hold and have sensible systems and processes in place to comply with the new rules.
You must make sure data is:
- Defined for both employees and customers.
- Kept for a lawful reason. You may need bank details, but are ethnicity and gender relevant?
- Not stored any longer than necessary.
- Securely stored and accurate.
- Available on request to any EU citizen whose data is stored.
No longer a tick-box exercise
GDPR has serious implications for any business which uses data in its marketing, because it marks a shift away from the old adage ‘no action implies agreement’. This means that, rather than being able to market to anyone who does not actively opt out, explicit consent is now needed before any message is sent to any recipient, with the exception of existing customers.
Because individuals now have ‘the right to be forgotten’, the way in which companies present the permission question to customers is critical in determining whether they can collect data. The new legislation also applies to those who process personal data on behalf of a third party. This means organisations that rely on buying databases for cold calling, profiling and segmentation may find their sources are depleted or no longer available.
Protect existing customers
The situation is a little less clear-cut for existing customers’ data. Organisations with high moral standards may wish to proactively contact their existing customer base to check whether they are happy for data to be stored and shared. But this is not essential. Treat personal data like something tangible, such as expensive jewellery. Always do your due diligence before leaving something valuable in someone else’s hands.