In between the royal wedding and BREXIT, you may have heard a lot in the news about the new General Data Protection Regulation (GDPR) and would no doubt have received various emails requesting your consent to opt in/opt out of newsletters. Many businesses have been working hard to put systems in place to comply with the new regulation.
What is GDPR?
The General Data Protection Regulation (GDPR), which is effective from the 25th May 2018 is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. Its aims are to give control back to citizens and residents in relation to their personal data by placing greater obligations on how organisations handle personal data.
How does GDPR affect small businesses, sole traders etc.?
There is a perception within the small business community that GDPR only affects the larger companies. However, this is not the case as GDPR affects all businesses from sole traders to global blue-chip companies regardless of BREXIT. Any business that controls or processes personal and sensitive data e.g. employee and/or customer data will need to comply. In layman’s terms this could refer to how you manage subscriber information for your newsletter, how you collect client information on your website e.g. payment details or how you store hard copies of employee information.
Are you ready for GDPR? Do you have systems in place to protect your data from cyber threats?
In a recent survey conducted by the Federation of Small Businesses it was highlighted that the majority of small businesses were still not prepared for GDPR. It found that 33% of small firms had not yet started preparing for GDPR and a further 35% were only in the early stages of preparations. With the increase in Cyber threats to businesses and not just the large corporations, it is really important for small businesses to get to grips with GDPR and implement the necessary changes to safeguard their data.
Given that the majority of businesses are now online or using related digital technologies such as mobile phones / laptops for handling personal data, it is crucial to remember that Technology and Security is a major part of the challenge.
Don’t let ignorance result in you getting fined for accidental data breaches.
Failure to comply with GDPR could result in heavy fines (up to €20million or 4% of your global annual turnover, whichever is greater), serious damage to the reputation of your business or closure in the case of small businesses.
For example, Carphone Warehouse were fined £400K by the Information Commissioner’s Office (ICO) for a data breach which was the result of a Cyber-attack on one of their computer systems in 2015. The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. Under GDPR they could have been fined up to €59 million.
What steps can small businesses take to prepare for GDPR?
If you are still unsure about GDPR or are in the early stages of preparation, read through the useful information below on how to Collect, Store & Use Data under GDPR:
8 Key Areas to Consider – Simple Tips & Ideas
1. Obtain Consent Freely, Explicitly and Clearly. Make sure across your web sites that when collecting data from the person that this is stated clearly, what you are going to do with the data is unambiguous and consent is given explicitly. Very often contact forms can miss such statements or be misleading in how they are worded.
2. Ensure Your Method of Data Collection is Secure. Many businesses currently have unsecure connections to their web sites that are vulnerable and open to attack and potential loss of personal data. This means that the security of connections to the website may be compromised and should be investigated and remediated urgently.
3. Always Know Where You Data is Stored and Sent to, as ignorance will be no excuse with the ICO. As Data Controllers, SMEs must always take responsible steps to ensure that the personal data being collected is kept safe. Thinking it is only contained in your emails when in fact copies are also collected and stored on your other systems and websites needs to be understood.
4. Know What & Where Your Data is Stored. A useful way to help with this aspect is to establish and maintain, for your business, a Personal Data Asset & Sharing Register, as illustrated in the very basic example below. This is also a useful resource to assist when handling Subject Access Requests and dealing with any breaches that may arise.
5.Take Steps to Secure Your Data. Very often devices are left un-encrypted, paper records left in open reception areas, key business systems and websites are left running out of date software and un-patched. With GDPR it is imperative to ensure you take steps to secure your data.-
6. Know Who Has Access to Your Data & Enforce the ‘Need to Know’ Principle. Often Admin rights to key devices, servers and systems are left open or poorly controlled resulting in the accidental or malicious loss of data. Always ensure that only authorised persons, who need the data to perform their work, are able to access. Setting in place best practice controls will lower the risks and reduce the damage and consequences arising from any hack.
7. Ensure the Use of Data Fits the Stated Reason for its Collection. Always ensure that the purpose and use of the data is aligned to the original reason it was collected. Any misuse will be poorly looked on by the UK Data Watchdog.
8. Put Controls in Place to Protect Privacy and Prevent Intrusion and Misuse. Continuing to market to individuals who have made it clear they do not want to be contacted is an absolute “none starter” and your business needs to ensure opt-out controls are set in place to protect these individuals.
Hopefully, you’re now more informed about what GDPR means for you and how it will impact SMEs, but if you’d like any further information the ICO has a wealth of material on their website. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
For further information on our services or to talk to us about your Cyber Security needs contact email@example.com.