What is GDPR & how will it affect your small business?
New Data Protection Regulations come into force this May and every business must comply or face hefty fines.
A recent survey* revealed that 55% of UK business leaders were unaware of GDPR and that only 35% of companies have a record of consent to store their customers’ data. Only 27% of these businesses believed GDPR applied to them, despite 73% of the companies agreeing that they held customer data on file. So, what is GDPR and will it affect your small business?
What is GDPR?
Changes to the 2016 EU General Data Protection Regulation (or GDPR) will come into effect on 25th May 2018. This regulation supersedes the Data Protection Act of 1998. All companies operating within the EU who hold customer or third-party personal data must take steps to comply.
What data does GDPR protect?
• Basic identity information such as name, address and ID numbers
• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation
Active not silent ‘opt-in’
In short, customers (past, present and future) must actively opt-in to any communication from your company. They must also be given the option to withdraw consent or to unsubscribe at any time.
8 Steps to become GDPR compliant
1. Data Handling Your company must have guidelines in place for the storing and handling of personal data.
2. Review all data held How is existing data held and what is it used for?
3. Appoint a Data Protection Officer
To oversee and ensure GDPR compliance or hire someone specifically for this role.
4. Create a Data Protection Plan
Review and update existing plans in line with the new GDPR regulations.
5. Carry out a risk assessment
Review what data your company stores and processes on EU citizens. Understand the risks around it. Your risk assessment should also summarise measures taken to mitigate that risk.
6. Contact existing Clients
Create a plan for contacting all existing clients to confirm the data you hold and ask for their explicit consent for future communications.
7. Build an Incidence Response Plan
GDPR requires that companies report breaches within 72 hours. How well the response plan minimises the damage will directly affect the company’s risk of fines.
8. Ensure all third party partnering companies have a GDPR policy
E.g. IT Support, cloud providers, print houses, mail handling, accountants etc.
For more detailed information on GDPR, visit the ICO website as follows: