GDPR: what does the transition from the Data Protection Act to the General Data Protection Regulation mean for my SME?



category Cyber

To School of Risk home
online

We’ve already talked about how, on 25 May 2018, the General Data Protection Regulation (GDPR) replaces the Data Protection Act 1998. In case you missed it, this is to make data collection rules consistent across
the EU.

Regardless of what happens with Brexit, it’s important to note that GDPR still applies if a non-EU company processes the personal data of those living in
the EU.

So if, say, you’re an online retailer running a small e-commerce site in the UK, and you hold EU customers’ personal data, you’re still subject to GDPR regulations.

It’s a good idea to know where you stand. Particularly as one of the biggest considerations of the new regulations is making sure ‘sensitive data’ is handled correctly. Of course, knowing what is and isn’t ‘sensitive data’ is the first thing to be clear about.

 

Do I hold potentially sensitive data?

Never before have we shared so much personal data with businesses, never before have businesses placed so much value on this data, and never have more companies collected and stored sensitive data without knowing it. Let’s look at a few examples.

  • A virtual assistant helps a client with a direct mail campaign and holds data including home addresses, employer and work addresses, age groups etc. This is stored in the cloud and then shared with a distribution company who send the mail. GDPR says explicit consent for both parties to use this information is needed.
  • Past and present personal data in HR records is a potential target for hackers, and it’s your responsibility to make sure it’s absolutely secure. Any third party request to access this information is subject to the employee (or ex-employee) giving consent.
  • Health professionals such as physiotherapists and chiropractors through to homeopaths and reflexologists might ask patients to complete a form about their wellbeing prior to treatment. If this information isn’t stored in line with the new data regulations, it could be in breach of them.

In fact, any company or individual providing marketing, IT, accountancy or other business support may have access to a wealth of client and customer data. GDPR says this now needs to be collected, stored and protected in specific ways in case of a breach.

 

Breach club

While everyone’s talking about high-profile hacks and attacks (and sadly these are genuine threats), cyber breaches come in all shapes and sizes.

A member of staff accidentally leaving a laptop containing customer data on a train could leave your business vulnerable. Similarly, a disgruntled member of staff could access data that they shouldn’t. Data can also be deleted or lost from something as innocuous as a power outage, causing an IT system to fail.

The point is that most businesses hold some sort of data that could be lost, changed or viewed without authorisation. Businesses ignoring the GDPR do so at their peril.

 

How can I prepare a data protection strategy?

The GDPR requires that larger businesses or public authorities carrying out large-scale data handling appoint a Data Protection Officer. While smaller business don’t have to do the same, it’s good practice to make sure data handling is a specific person’s job. That person then has responsibility for the following:

  1. Carrying out a data protection impact assessment to determine what kind of personal information has been or will be collected, the collection method, how it’s used, transferred and stored, why it might be shared and how it’s protected.
  2. Carrying out regular internal audits of data collection and storage processes, making amendments where necessary.
  3. Making sure all staff are up-to-date with data protection training and that new joiners are aware of and understand processes and procedures.
  4. Taking a view on any new technology, software and marketing initiatives to ensure they comply with GDPR.
  5. Forming a crisis group before you need one. Specific people trained to take the lead if the worst happens can help reduce the impact on your business.

The failure to plan and comply with the new regulations could result in much more than a slap on the wrist: tough new penalties of up to 4% of your annual revenue or €20m are being brought in. And that’s before the potential damage to your business’s reputation and indirect loss of income, too.

Can you afford to not be ready?

Useful links:

The Information Commissioner’s Office ( ICO): https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr

And the official GDPR site: http://www.eugdpr.org/

 

Image / photographer: data protection keyboard_shutterstock_277657199_green | http://www.flickr.com

More from this category

The C word: cybercrime is here to stay
Cybercrime survey exposes SMEs as aware but unprepared
The UK's biggest cybersecurity and data breaches in 2017
Buy online in minutes. Less admin, more business!
yay banner image