GDPR – Is Your Business Prepared?

If you haven’t heard of GDPR, or if you have but haven’t found the time to investigate how it might impact your business, then this guide will help you.

But first, an important disclaimer: Whilst we can make your website GDPR compliant, there are a number of factors outside of your website which you need to address and research yourself. Every business is different and that makes it very difficult to give precise advice on GDPR as your circumstances may differ from “the average business”.

So, what is GDPR?

GDPR stands for General Data Protection Regulation and is the culmination of a project to harmonise data protection rules across the European Union.

Has Brexit affected GDPR?

No. GDPR came into force before Brexit, and the government follows GDPR.

Is my business or organisation be affected by GDPR?

Although there is no catch all answer here, it probably is, yes. Almost every business, charity and non-profit collects data of some kind, whether it’s name and address, card details or something more complex.

How does GDPR affect the Data Protection Act (1998)?

The government has enforced GDPR by introducing a new data protection bill. This replaces the old Data Protection Act, which has been repealed.

From a more practical point of view, the good news is that the two acts are not be hugely different.

New, bigger fines

This is the GDPR change that has caused the most cause for concern.

And although it is true the maximum fine for failing to comply with data protection laws will go up to €20 million for the worst offences (from £500,000), the Information Commissioners Office (the body responsible for enforcing data protection laws in the UK) has indicated that it’s unlikely to use these fines routinely, and that the ICO will look to work with businesses to improve compliance where possible rather than punish them.

You’ll be more accountable for the data you handle

Larger companies (those with 250 or more employees) need to provide documentation detailing why they collect and process people’s data, what information they hold, how long they’ll hold it for and the security measures in place to protect that data.

In addition, companies that process people’s data on a large scale, or process a significant amount of sensitive data (such as medical information) will have to employ a data protection officer.

Clearly, the vast majority of smaller businesses are not affected by these changes.

However, what will affect businesses of all sizes is the need to obtain consent in order to use someone’s data for certain purposes – including marketing. This may sound familiar, but GDPR will require you to get positive consent from an individual in order to send them marketing material. (There are some exceptions to this rule.)

Are there any initial steps I can take to help me with GDPR?

The short answer is yes. The longer answer is also yes, but although these initial steps will help you, on their own they’re not enough to ensure compliance with GDPR, so make sure you’re fully aware of other steps you may need to take.

With that in mind, here are those initial steps:

Always encrypt personal data and store it on password protected devices. Losing a USB stick with unencrypted data would count as a data leak, but it’s so easy to avoid.

Understand what you need to do if you do have a data leak. Under the new rules, you need to contact the ICO within 72 hours of a leak, and inform those whose data has been leaked. This ICO guide goes into more detail on what to do after a data leak.

Develop a data policy, even if you don’t have to. Doing so will help you understand what data you collect, why you use it and if there is anything you can do to reduce data collection to make GDPR compliance easier.

Create a privacy policy and share it with your customers and website visitors. Make sure this outlines exactly what you’re collecting their data for and how you will be using it.

Carry out a data audit so you know exactly what data you currently have, and then keep your data records up to date. After all, you’ll need to be able to provide people with their data if they request it, and you can only do that if you’re keeping track of your data collection process.

(Re)seek consent if required. That way, you’ll have evidence that people have opted in to your marketing and that you’re using their data lawfully. Remember – people need to actively opt in for you to use their data lawfully, and you must clearly tell them what they are agreeing to.

What should I do next?

We’ve only skimmed the surface of GDPR here. The next step we’d recommend taking is following the ICO’s “Preparing for the GDPR 12 steps to take now” guide.

There is also an ICO helpline which you can contact.

You may also wish to seek advice from a legal expert who specialises in the field of data protection, depending on your circumstances.