15 Feb What small businesses need to consider to be GDPR-ready
Companies need to be able to demonstrate that personal data in their possession has been given consent, is secure and is deleted when it is no longer required.
On May 25th 2018, small and medium-sized enterprises (SMEs) operating within the EU will face penalisation if they are found to be in breach of the General Data Protection Regulation (GDPR). Businesses may be fined up to 20 million euros or 4% of their annual turnover, whichever is greater, if they are found to not be GDPR-compliant. While the UK is currently set to leave the EU, it will still be a member when this deadline passes. It is therefore imperative for UK businesses to ensure they are GDPR-compliant.
This is more concerning when you consider that there is a huge number of SMEs who are unaware of GDPR and do not know if they are compliant or not. Mike Lenard of Tailored Data Solutions found that 80% of businesses who attended his talk at the Executive Leaders Network event in November 2017 would not meet the new regulations.
If you are concerned about GDPR compliance, here are seven steps to become GDPR-ready:
1) Complete a full audit of any personal data you hold, both internal (employees) and external (clients, suppliers, third-party contacts).
2) Identify each contact and note the reasons as to why you possess personal data from them. If you have no substantial reasons to hold their data, delete it. This could be due to not recognising the data, the data is out of date or the data being too incomplete to be of any use.
3) Categorise your database effectively. If your business regularly captures a high volume of data, automate your database so that it controls data capture, storage and deletion. Consider investing in a database software solution that will assist in this process. This should already be a priority if you have a high volume of data. There are multiple solutions available for different processes that can fit your needs.
4) Contact all your database members to formally acquire consent for holding personal data. You will need evidence of consent being given in every instance. This can be a signature or online alternative if necessary.
5) Ensure your computer servers are protected and invest in security for your company networks. Consult a local IT company to ensure this is correctly administered. Check the encryption protocols for your website data are up to standard and meet DSS requirements as set out by the PCI Council.
6) Carry out regular audits and document them. Evidence of your actions to maintain compliance will assist you if you have future issues.
Ensuring GDPR compliance does not require a highly dense and detailed plan. The granularity to which these regulations breaks down to can make compliance seem hard to achieve, but following the seven points detailed above thoroughly will ensure your SME is GDPR-ready.