GDPR – Are You Ready?


Your business might not hold as much personal data as Facebook but non-compliance with the new GDPR regulations could still cost you.

The furore surrounding the personal data breach involving some 87 million Facebook users has been headline news almost every day since the story broke. It comes at a pertinent time as the new EU regulation on data protection (General Data Protection Regulation) comes in to force on 25thMay 2018.

If nothing else, the Facebook scandal has probably made a whole lot more people sit up and wonder just what happens to their personal data, often given without a second thought, to many businesses across many sectors of industry.

Brexit won’t fix it

The new rules apply to all businesses within the EU and those trading with it; and whilst there are some exceptions to certain aspects depending on size, even micro-businesses will have to tow the line.

There are many guides available to the exact requirements for compliance with GDPR (the Information Commissioners Office (ICO) even has a specific section for smaller organisations). This short post does not intend to go into detail but rather point to the main areas where attention should be focused.

It may well be obvious to many but the first thing any business needs to be clear about is exactly what data they have and why they have it. It’s worth remembering that GDPR protects any EU citizen that is personally identifiable in the records of a business. For example, a simple email address is data that makes someone personally identifiable.

Being up front with customers about how and by whom any data might be used, along with an easy mechanism to withdraw consent, are also a key element to compliance with GDPR.

Once clear on this it is vital to manage the data in an organised way by knowing where it’s from, where it’s stored and the security measures in place, such as encryption, used to protect it. Anything that shouldn’t be disclosed to third parties needs encrypting.

It’s an obvious step from there to appoint someone to be responsible for the data and other aspects of data protection compliance. Such a person should not be alone in shouldering responsibility though. In this day and age where practically everything is done online, management would be wise to help spread a company-wide security awareness culture.

All of the above focus on avoiding data breaches. However if something does go wrong it will need resolving. Having a clear plan and system in place to cover this aspect would not only be sensible but compulsory within the EU very shortly.

Spend to save

Of course there are financial implications to be considered as there are when any changes to business practices are implemented. It may be that professional help is required to bring a company up to speed which will come at a cost. That money could be well spent however because whilst you may not be hauled Zuckerberg style in front of a Senate Committee to explain any breaches you could be fined 4% of global turnover.

 

By Steve Leeves