Many SME’s and micro business will overlook the necessity of GDPR in the new year thinking that this is something that only applies to larger companies. The fact is no concessions have been made for SME’s and micro business so going forward this is a best practice approach that should be factored into your daily routine.
As you know the European Union are rolling out the General Data Protection Regulation (GDPR) on the 25th May 2018 and you will need to comply or you could face up to between a 2-4% fine of your global turnover. Elizabeth Denham the UK Information Commissioner has said that the UK will have to comply to GDPR after Brexit so you no excuses in letting it slip.
10 things you can you do to prepare for GDPR from now:
- Read up as much as you can from the Information Commissioners Office website.
- Be aware that all companies will have to be accountable for data
- You need to make sure that your privacy notices are clear and easily understood
- Individuals will have greatly expanded rights over their data. Remember, the data you hold is theirs and not yours
- If individuals request the data you hold on them you should be able to provide this to them
- You need to justify your legal basis for processing any data you hold on an individual
- Don’t forget, consent is everything – watch your plugins, get rid of anything that asks for more information then needed.
- If your website or app is aimed at children you will have to comply to extra rules
- Data breaches (hacks) need to be taken very seriously, how secure is your website and how often do toy test this?
- Adopt a privacy by design approach and make it your default choice.
All this is not new
Directive 95/45/EC was drafted on the 24th October 1995 and outlined the protection of individuals with regard to the processing of personal data and on the free movement of such data.
The 8 original data protection principles are personal must be:
- Stored fairly and lawfully
- Stored only for a specific purpose
- Relevant, adequate, and not excessive for that purpose
- Kept for no longer than it is necessary
- Kept in accordance with the individual’s rights
- Protected by technical and organisational security measures
- Not transferred outside the EU, unless the recipient country ensures adequate data protection.
You can read a copy of directive 95/45/EC by following this link.
What are the next steps?
The time to start planning for GDPR compliance was yesterday. Once you gather your data repositories and sensitive data you can begin to better scope your GDPR readiness.
The more saturated this market gets, the more people are selective and concerned about the amount of information people hold on them so we should be using data ethically and transparently. Tell your customers what you want to do with their data and make sure that the outcome delivers value to them as well as your business.
Companies that have had websites developed by a 3rd party and are not 100% sure how data is stored or being used especially with contact forms should get in touch for a consultation to see what information is stored serverside.
Companies that ask for sensitive personal data online, this includes any of the following:
- Trade Union membership
- Past spent criminal convictions
- Upcoming criminal proceedings
What if I pay someone else to do our marketing?
The guide to privacy and electronic communications regulations (PECR) states “You are both responsible for complying with PECR. Even if someone else actually makes the calls or sends the messages, you are still responsible, as you are ‘instigating’ those calls or messages. If we needed to take enforcement action, we would usually take it against you as the instigator. In some cases we might consider taking action against a specialist subcontractor as well if they deliberately or persistently ignored the rules.
You should make sure you have a written contract that sets out your contractor’s responsibilities. You may also want to ask your contractor to indemnify you (protect you against loss) for any breach of PECR. If they break the law and expose you to enforcement action (and reputational damage with customers), you may then be able to seek legal advice about taking action for breach of contract. However, an indemnity is not a substitute for proper checks of your contractor – remember it is still your name and reputation at stake.” Source.
Schedule a brief consultation with any questions you have
We are happy to schedule an online consultation with you to go over your unique business requirements and help guide you in the right direction with any questions you have. Consultations cost £150 and can last around 1 hour. After we evaluate your situation, we provide you with a written breakdown of the steps you should take. If you decide to appoint us as your representative, we will reimburse the fee.