The European General Data Protection Regulation (GDPR) is coming into play on the 25th May 2018, and your business needs to be ready for it.
In a nutshell, the regulation is concerned with giving citizens and residents of Europe more control over the personal data and is a way of unifying and simplifying regulations for international businesses. So, what does GDPR mean for your business?
You may need to hire a DPO
Any business which regularly or systematically monitors data on a large scale must employ a Data Protection Officer (DPO) to ensure that the company complies with the GDPR obligations.
The use of the words ‘large scale’ have caused much speculation as to whether small and medium-sized businesses will be exempt from this requirement; however, this is not the case, and it depends on the size of your organisation and the sector that you are in. A private firm or organisation does not have to employ a DPO if it can prove that it doesn’t process any special category information (ethnicity, health information, sexual orientation, or political beliefs).
You need to review your data
Most companies routinely store personal data: HR records, customer data, employee data and supplier information, and so you will need to comply with GDPR by undertaking a comprehensive information audit of the data you hold. It doesn’t matter whether you store the data on a spreadsheet, paper records, your computer network or in the cloud.
Smaller businesses can find it a challenge to deliver the responsibilities of the GDPR, especially with the level of knowledge and management that is required for IT systems. It is advisable to hire a qualified external consultant who is familiar with the legal obligations that you have and to use a cloud access security broker such as Skyhigh to ensure that your data is compliant and secure.
You need to gain consent
People will have to give consent to you to store their personal information, and it goes beyond having automated ticks in boxes on your website forms. You need to ensure that you offer individuals genuine choice and options, and do not use consent as a precondition to use your services. The consent form also needs to be separate from the other standard terms and conditions – it needs to be explicit.
You need to review your suppliers
As we move into GDPR, you must also be aware that your suppliers need to be GDPR compliant too. By ensuring that they are, you are reducing the risk that you will be impacted by any breach in their data systems. You need to gain confirmation that they have compliant security measures in place. If they do not comply with GDPR, your relationship with them needs to be addressed as they must also have compliant data protection standards.
With Brexit currently being in limbo, you may be questioning whether it is worth your time to put policies in place to be compliant, but the powers that be have confirmed that the GDPR will still apply post-Brexit in a newly revamped Data Protection Act. The GDPR is a daunting exercise, but it can benefit your business by building trust with customers and consumers – responsible data handling and accountability are the basic principles of good business after all.