There are now less than six months to go until the introduction of the new General Data Protection Regulation (GDPR). The new regulation will supersede the Data Protection Act 1995, bringing new requirements and standards into force.
The GDPR will introduce strict regulations on the ways in which data is stored, handled and used by businesses. As the date for implementation gets closer, this is the time for small businesses to begin introducing their improved data handling policies.
These new requirements pose serious risk if not adhered to, and the onus is on businesses to make sure that they are compliant with the new regulation or risk severe financial penalties.
Business owners must do all that they can do make sure that they are prepared for the upcoming changes and are able to comply with the new regulations, to help the experts from Brighter Business have pulled together these top tips…
Do you have permission to handle data?
The internet has revolutionised the ways in which we interact, and has also created a stream of data from customers to businesses. However, the GDPR will change the dynamics of this by focussing on the distinctions between data owners, users and controllers.
Significantly, businesses are custodians (or handlers) of data, placing limitations on what businesses can do with the data they hold. They will also be expected to delete data that consumers no longer wish for them to hold.
As such, it is important that businesses have express permissions to store and use data. This means that people will have to actively opt in; implied consent is not sufficient. Businesses will also need to be transparent about the reasons they require data (for marketing purposes, for example).
With the emphasis on custodianship of data, businesses will also face new obligations around removing data from their systems. Data must be deleted permanently at the request of the data subject.
Register with ICO
You will have to register your business with the Information Commissioner’s Office (ICO) as a data controller. This is a statutory requirement, so if you haven’t already registered you should do so urgently.
If you handle personal data, you are a data controller. Personal data is data that will identify a person.
The ICO is the body which will hold businesses to account in the event of a data breach. Once you’re registered with the ICO, you should ensure that all your staff are trained to a suitable standard so that they know what their roles and responsibilities are around data protection.
Are your IT systems robust?
Any business could be the victim of a cyber-attack. Making sure that your business is protected from malicious attacks is an essential part of everyday security, and the GDPR places additional emphasis on the importance of online security.
Whether data is backed up on a physical hard drive or stored in the cloud, you should be aware of the risks and benefits of each. Assess the pros and cons of each approach. If you outsource your IT requirements, you should also be satisfied that the external party is doing enough to keep you and your systems protected.
How will your digital strategy be affected?
Your digital strategy will be affected by the rollout of the GDPR, and to minimise any negative impact, you need to start thinking about how to deal with the changes ahead of time.
Ensuring that your systems are robust is essential, and you may need to reconsider some processes. You and your staff should also make yourselves aware of phishing techniques, and do not disclose data to anyone who is unable to answer security questions.
Even emails containing sensitive information accidentally sent to the wrong person can be an instance of data breach. Minimising human error is an important step in preventing data breaches.
If your business offers customer service via social media channels, that is a channel through which customer data is communicated – and you will need to consider the impact of GDPR.
Introducing procedures which will ensure the secure transmission of information via these channels; who can see them, and how do you ensure that the data communicated via these channels stays secure?
In the event of a data breach
In the event of a data breach, the Information Commissioner’s Office must be notified within 72 hours. Under the Data Protection Act, there was no obligation to report data breaches.
The statutory obligation is being introduced in order to protect consumers. Under the GDPR, fines will be much heavier, up to €20,000,000, or 4% of global turnover, whichever is higher.
These fines are designed to deter negligent behaviour around data handling, and could have serious impacts on businesses which fall foul of the regulation.
As such, beyond the requirement that data is adequately protected, one way to minimise your own risk is to reduce the amount of data that you hold. Data minimisation will allow you to hold only the data which you need for certain purposes; anything beyond that is unnecessary and therefore represents additional risk.