The General Data Protection Regulation (GDPR) is a new regulation which will take effect from 25th May 2018. It is being introduced to strengthen data privacy for individuals across the EU.
In order to comply SMEs will have to follow a number of guidelines around how to process and store data. Whilst this can create an administrative burden (alongside heavy fines for not complying) companies can also benefit by making marketing activity more efficient, alongside improving their reputation. As well as improving the overall security of their business data.
Here’s everything you need to know…
What is GDPR?
The General Data Protection Regulation (GDPR) will apply from 25thMay 2018 and will replace the UK Data Protection Act 1998.
The new law brings a 21st century approach to data protection meaning that it considers how our systems and processes have been digitally transformed, for example, by using cloud storage, CRM systems and mass mailing software to store data and keep in touch with clients and potential clients. All of these items and many more, mean that currently the data of individuals is being stored and used by organisations in a way that is deemed to be unregulated.
GDPR has been designed to expand the rights of individuals. It will protect them from the unsolicited use of their data; including everything from sensitive information such as personal, credit and medical records, to contact details and email addresses. Then, by introducing a range of obligations that ensure everyone is more accountable for data protection, it further ensures that organisations who have been authorised to use the data are taking measures to store it safely, tackling now commonplace hacking threats and invasions of privacy.
Understandably these measures are overhauling systems for the largest organisations in sectors such as banking and healthcare but, the legislation has a significant and wide-reaching scope that affects businesses of all sizes.
Who Does GDPR apply to?
All companies within the EU, irrespective of their size, will have to comply with GDPR’s legislation around the collection, storage and use of personal information.
Organisations with more than 250 employees will have to appoint a Data Protection Officer. Additionally, certain large companies are forcing smaller businesses within their supply chain to meet enhanced information security requirements in order to protect themselves.
For organisations with less than 250 employees the legislation is less onerous, however, SMEs will still have to make efforts to be more stringent with how they maintain records and handle data.
And for British companies wondering if this will apply to them post-Brexit, whilst GDPR’s implementation date falls before the UK’s withdrawal from the EU, the Government has suggested that it intends to implement equivalent rules following our departure.
What Actions Do SMEs Need to Take to Be GDPR Compliant?
- Audit Your Data
As GDPR relates to personal data, it is important to first understand what data you hold falls into this category.
GDPR regulation defines personal data as “information relating to an identified or identifiable natural person.” Examples of this include the individual’s names, contact details or photographs.
Usage and retention of data which meets this classification will have to be considered for GDPR purposes.
- Seek Consent
If you are relying on consent to use personal data (i.e. to send marketing materials to) you will need to take extra precautions to make sure that you have explicit permission from the individual to do so.
Records must also be maintained to prove how the consent was obtained.
- Create Processes to Give Rights
Individuals with personal data held on them will have the right to correct any inaccuracies, alongside being able to access the data held on them. Additionally, in certain circumstances, they will be able to request for all of the data held on them to be erased.
Any requests must be fulfilled within one month. In order to prepare businesses should implement a number of processes to respond to requests in an easy and time efficient manner.
- Educate Your Staff
Whilst most SMEs will not have to appoint a Data Protection Officer (DPO) it is good practice to educate employees about how to be GDPR compliant, alongside how to prepare for data breaches.
Data breaches are defined as “a breach of security leading to the destruction, loss alteration, unauthorised disclosure of, or access to, personal data.”
Breaches need to be reported to the Information Commissioner’s Office (ICO) within 72 hours.
…But There Are Benefits
- More Efficient Marketing
Being GDPR compliant will heighten the accuracy of the data companies store. Maintaining up to date personal data, alongside only marketing to individuals who have given unambiguous consent means that sales campaigns are likely to be more effective due to being more targeted and relevant.
- Boost Your Reputation
Over the last few years, there has been a number of high profile data leaks from well-known companies such as Uber, Adobe and JP Morgan. Being vocal about going above and beyond the minimum GDPR requirements will boost the reputation of your business by giving reassurance to customers and prospects that you take your data security seriously.
Additionally, this may also put you in a stronger position to sell to a larger company which has certain GDPR restrictions which their supply chain needs to conform to.
How to Manage
When it comes to GDPR there is a lot to consider, reading one article isn’t enough. To get to the point read our 5 steps to GDPR Compliance for Small Businesses article then find out how Cottons can help your organisation comply with the new obligations.
Contact our GDPR specialist Ben Burnett with your immediate queries or get in touch with your local office to arrange an appointment to discuss GDPR and your business. We have offices in London, Daventry, Rugby and Northampton.