As an SME, the hope is that you have at least heard of GDPR, if not made steps towards implementing changes to ensure you are compliant. If you haven’t given it any thought up until now, then it’s time to make it a priority! The deadline is fast looming. Failure to comply with the legislation can result in significant fines (4% of your businesses turnover/ EUR 20 million). There is also potential for your business to be shut down if you do not demonstrate adequate steps have been taken to comply with certain rules, like protection against hacking. Don't be thinking that leaving the EU will make any difference, the legislation is here to stay regardless of Brexit.
As a SME or startup the list of requirements and the documents you need to complete to maintain compliance can be a little overwhelming. So we’ve identified ten steps you need to consider to get you started.
1. What is it?
GDPR (General Data Protection Legislation) governs the way in which anyone handles, works with, processes and stores personal data. You are responsible for taking necessary steps to ensure that you are compliant, whether that is paper or electronic records and that any third party who supplies you data is also compliant. The rules extend to how you keep,access and share that data.
2. The rules only apply to consumer data though?
Not any more. GDPR is far more encompassing than the Data Protection Act 20 years ago. The types of data included under the personal definition are: customers, businesses or employees.
3. Nominate your data protection officer
If you are one person company, then obviously this will be you! There are many documents and guides to follow to ensure that you implement the right data handling strategy for your business, as a small business not all of them will apply. It is your responsibility to manage and police data protection in house. You will need to complete self assessments regularly too. There are many companies that are offering downloadable packs with all the documents you need to have in place (at a price) but if it saves time, it may be worth the investment.
4. Get your house in order
Have a separate folder or section in your filing system for GDPR. Is all of your data that you use to do business held in different locations? How do you maintain that data? Set up and audit, breach tracking and NDA folder, that can be reviewed when you carry out your regular data audits and reviews. Think about future proofing too. You may be small now, but you want to grow your business and the data you accumulate will grow with you.
Individuals will now be able to request to see all data that you hold about them. You are no longer allowed to charge for the privilege either and you need to provide this information to them within a month. You’re going to need a database to hold your information. And it needs to be compliant.
5. Audit your current data
Do you know where you got your data from? Did you buy it from a data broker, collect it from a sale via your website, or source it from social media? You need to start tracking this information and you also need to update your opt-in rules and ask people to re-consent to sign up.
6. What should I hold?
Keep it simple. Data should only be what you need, held for the period of time that you need it. Rationalising your data can be a good thing and can potentially save you money. Holding endless data on cloud databases can be costly for space. Remember, that you are not allowed to keep anything that reveals cultural, financial, mental or physical information, unless it is for an adequate reason (like a medical record).
You also need to track that information, so how did you get hold of this person's data and where did they opt in or agree to be contacted by you?
7. How do you store data?
Your website, email platforms, cloud based services for payroll or CRM solutions, social media accounts and even that dusty Rolodex. Do you know how secure these systems are, who has access to the data?
If you collect data via your website at a minimum you need to be protecting your business and your customers data with a SSL certificate.
8. Make it clear - consents and privacy notices
If someone buys something from you make your consent opt-in to future marketing communications really clear and provide details as to how they can remove themselves from that list at any time.
You also need to consider your privacy notices on your website, any email disclaimers and other sites that you may need to promote your privacy and data collection notices on. So for example, if there are T&Cs that they need to agree to you cannot lump this in with your opt in for marketing communications under one tick box.
9. Transferring information
If you need to share personal information with anyone, you need to think how you are doing this. Think about using a secure file transfer system or FTP area and always encrypt files with passwords before you send them by email. IF you are sending data to a third party, you must have a clear NDA (non-disclosure agreement) between you.
Make sure you understand what constitutes a data breach and how they will be recorded. These can be simple mistakes like including personal email addresses in a send all email, to sharing customer data such a bank details in the body of an email to a third party whose email system was hacked.
Get a little help
Let others do this for you. We’re not talking pass the buck here, but there may be some quick wins that ensure you comply, without the additional paper trail to manage this. By using a third party like a payroll management company, they can manage the GDPR compliance, meaning that you don’t have to double up here. This leaves you free to concentrate on other data sources and running your business. Equally if you have help from a contractor to run your marketing, just make sure you have seen how the third party manages the data, you have a copy of their policies and a signed agreement in terms of liability to back this up.