GDPR, the new data protection framework, is due to come into force next May. Is your small business ready?
What is GDPR?
GDPR is a new legal framework drawn up by the European Union to better protect the public’s personal data, and enforce their rights. This legislation is due to come into force 25 May 2018. For the time being, Brexit will not influence this legislation, and the UK will adopt these laws for the foreseeable future.
Is my small business affected?
Yes. Some requirements affect only large businesses – others will affect small businesses too. We cover below the main points that could affect your small business.
The right to be forgotten
This is your customer’s right to request the removal of all personal information from your records. When a customer withdraws consent for you to keep their information, you must delete it from your records.
This does not include non-filed data, such as scribbled notes, or archived information, nor does it include backup information such as a Server, PC or Sage backup.
You will be required to produce information you hold on a person at their request, and this information must be easily readable, i.e. - in a format that is acceptable, such as a Word document or PDF.
It also means that this information can then be given to a different “data controller”, i.e. - another company which holds personal data.
You must keep a copy of the consent given to you by your client detailing that they have given you permission to hold their information. This consent form must also be clear and concise, and not filled with “legal jargon”.
It should also be as easy for a client to opt-out, and remove consent as it is to give consent.
On top of this, if a customer removes consent, and you have passed on their information to a third party, you must also inform them of the removal of consent.
If there is a breach in data, where client information is lost, destroyed, or stolen AND there is risk to the individuals in terms of damage to reputation, discrimination, or financial loss; then you must inform your customer as soon as possible.
Data security - best practice for your business
The Data Protection Act 1998 (DPA 98) set the standard for keeping data secure. Although the requirements of GDPR will surpass those of DPA 98 by some distance, data security remains at the heart of the new legislation.
Do make sure you have taken the following steps in your business:
Passwords – set a password for your computers if you haven’t already, and your Word and Excel documents if you can. There are different levels of security, but a password with uppercase and lower case, as well as numbers or symbols are best. And try not to use just one dictionary word! A good example would be something like “Dat35ecur!ty”.
Lock your computer – what use is a password if it’s never needed? If your computer is left unattended, even to grab a cup of coffee, lock it! There are many ways and methods, depending if you are Windows or Mac, but the quickest for Windows users is to press the Windows Key (the flag, or four squares) & “L”. This is particularly important if you work near or in a public space; but it’s a good habit to get into in any case.
Backup your data – not only is it important that information is secure, but you need to be able to recover if you lose it. Backing up your information can come in different shapes and sizes, in the “cloud”, or on a pen drive, but a small amount of effort every few days can save you an IT nightmare on a terrible day.
Theft – should your hardware, or your data go walkabout, you need to know what to do. Hopefully, you have your passwords set, but even then, there will now be a requirement to notify the authorities in circumstances where your customer’s data falls into the wrong hands.
Need some help getting ready for GDPR? Contact me by e:mail today!