You’re not alone in feeling nervous about the possible impact of GDPR (General Data Protection Regulation) on your business. There’s a growing volume of noise on the subject right now, which is mixing dense technical jargon with uncertainty and a dash of scaremongering. To help you form a better understanding of the risks to, and obligations of, your business, we’ve put together this short guide to GDPR. Be aware that the fine detail of GDPR is still being decided, and that its impact could vary depending on the size and nature of your organisation. This guide can only provide an overview and you should consider taking specialist advice.
The basics of GDPRGDPR comes into effect on 25 May 2018. It updates and strengthens the current data protection rules. It’s largely focused on personal data, such as names, addresses and other information held about individuals. Unlike the current data protection rules, it applies to records held on paper as well as those held digitally. If your organisation holds detailed sensitive information about people, or information on children or young people, get expert advice on how the new rules apply to you. GDPR strengthens the individual’s ‘right to be forgotten’. People can ask to be deleted from your records, and expect for that deletion to be carried out. Organisations that break the new rules face the threat of massive fines, up to the higher of Euro 20 million or 4% of global sales.
GDPR and digital marketingMany businesses are worried about the impact of GDPR on the mailing lists they’ve spent years building. They’re concerned that if they can’t prove that someone asked to be included on the list, they may be in breach of the new rules. However, you can continue to email people working for limited companies, limited partnerships and government institutions, as long as you give them a route to opt out. You will need to get permission to email private individuals, sole traders and those working in unincorporated businesses. Getting permission means being clear about what you’ll do with any information they supply, and having them make a clear choice to ‘opt-in’. The introduction of GDPR could be a good opportunity to clean up your marketing database, or indeed to consolidate multiple databases that have grown up over time. It’s a chance to get rid of duplicate or out-of-date information.
GDPR and business dataEven the smallest business accumulates a mass of data over time, and it’s often stored inconsistently and insecurely. Where that data contains information about individuals, it probably falls under the scope of GDPR. A first step to achieving GDPR compliance is to conduct an audit of all the data in your organisation. This includes everything from your HR system to a spreadsheet of contacts that a member of your sales team maintains on their laptop. Consider creating a map of how personal data flows through your business, from the point of capture (such as sign up to an emailing list) to all its potential uses, and its eventual deletion.
- If you don’t already have them, you probably need policies around issues such as: Preserving privacy
- Handling requests to review the information you hold
- Dealing with ‘right to be forgotten’ requests
- Accountability for processing of personal information.
GDPR and data securityAny data you hold on individuals should be secured to prevent unauthorised access, and you should consider regular audits of your security. Businesses should also prepare procedures for handling a data breach. It’s possible to predict, based on the type of data you hold, the type of information that could be lost in a data breach, allowing you to have contingency plans for notifying the relevant authority and, if appropriate, contacting those whose data may have been taken. Preparing for a data breach includes:
- Educating staff in what constitutes a breach
- Implementing an internal process for reporting potential breaches
- Having a process for reporting breaches externally
- Developing procedures for investigating and learning from breaches.