What is the General Data Protection Regulation (GDPR) and why do I need to know about it?
17th July 2017
Simply put, the General Data Protection Regulation (GDPR) is a new piece of European legislation being brought in from 25 May 2018 replacing the existing Data Protection Directive and the Data Protection Act 1998.
It means that any organisation that handles data about others will need to ensure that customers, consumers or clients know exactly how their data is being used and who might see it. Data will need to be kept securely and not used in a way that is deemed to be excessive or unfair. So anything with a name, email address or even an IP address, for example will need to be protected.
Great news for consumers, but means almost all businesses will need to review their processes in order to ensure they are compliant with the new rules.
And, before you ask, even if we do exit Europe after this period, these rules will still apply while they transition over to new legislation which is expected to be fairly similar.
The upshot is, as a SME business owner, you need to know what this means for you, and what you need to put into place now to be fully compliant by May 2018.
If you use a third-party contractor to handle your customer data, then you will be impacted. So, for example, if you use a company to operate your marketing list, store your database, analyse consumer data, track website use and even process payments, then you need to read on.
The new legislation means that these third-parties will be liable if they mishandle data and they, and you will need to ensure that they comply with certain rules, such as how they keep records, or deal with a data breach, for example. So you will probably be receiving an updated contract from these guys shortly (think companies like Xero, Mailchimp, etc), and you will have an obligation to your customers to tell them who is handling this data, in much more detail than the tick box where consumers say that they have understood the privacy policy which tends to exist at the moment.
There are some serious fines for non-compliance, so any breach of these new rules could be pretty expensive. So it’s important to get down and dirty with data protection before you’re unexpectedly caught out. And to start that now.
What should you do?
First step is to review what you have in place at the moment. The good news is that Host My Office can help you begin that process, so just get in contact, and we can help you work out what’s needed. Phew! Thank goodness for that!
There are quite a few things that need reviewing in light of the new rules. You’ll need to think about the email list you have and what you do with those addresses, privacy text on your website, customer consent forms, and that’s just for starters. And it will all take time, so don’t wait around.
You’ll also need to identify all of your third-party data handlers, and find out from them what they are doing to ensure they comply with GDPR. It may mean changing suppliers if you aren’t satisfied that they are doing what they need to. This new legislation affects everyone, big or small, so don’t take it for granted that a big business will know what they are doing, particularly if they are based outside of the EU, they may not even need to revamp their T&Cs. Consider employing the services of a specialist, particularly if the business offers online behaviour advertising services or website analytics, as these businesses could be in line for huge fines if caught out. Did we mention that we can help with what needs to be done?!
HR teams may need to take legal advice on the rules on handling employee data. For example, any individual may make a request to an organisation he/she believes is holding their personal data for all information they hold about him/her. This is known as a ‘subject access request’. Although there are certain exceptions on what needs to be provided under the current rules, these exceptions do not apply under the GDPR, some current exceptions may not be carried over. So the advice is to be careful about what is written down about individuals (electronically or otherwise) as they will be likely to be able to see it if they request it. We’re working with our partners at Keystone Law, and they can help you with the legal side, so just let us know, and we’ll put you in touch with them.
In terms of IT, security needs to be reviewed, and businesses need to have a data breach plan in case of any attack. If data is not needed anymore, then it may need to be destroyed in the right way.
Once everything has been reviewed and updated, then training needs to be offered to ensure that all staff operate within the new guidelines. All staff need to be clear on where data is being stored, and how it can be used legally.
What if SMEs ignore the rules?
SMEs may not realise the level of fines for non-compliance. Fines are punitive. Non-compliant businesses can be fined up to 2–4% of global turnover or 10m/20m euros if greater. Per breach. That is enough to make most business owners sit up and take notice.
So take action now. Get in touch and ensure you are leading the way when it comes to being compliant. The alternative isn’t worth thinking about.
