Stressing out about the looming GDPR deadline of 25th of May? Relax! Be happy – Adlantic is here to placate the dread being felt by many small businesses right now.
A recent poll by the Federation of Small Business (FSB) suggests that only a minority of small businesses are prepared for GDPR. According to their poll, only 8% had completed their GDPR preparations, 35% were at the early stages and 33% said they had not yet started.
Perhaps you are aware of GDPR, but, like 34% of the small business, have little understanding of GDPR requirements. If the threat of ICO fines is keeping you up at night, then pull your head out of the sand and read on.
Though the new law includes fines for non-compliance, the ICO states that these are a last resort.
GDPR is not about penalties, it’s about putting people first.
Yes, GDPR is unavoidable, but that’s because you need to do the right thing by your customers and protect their data. If you haven’t already started, begin today. We’ve removed some of the legal jargon and put together 5 key points to move you in the right direction.
5 ways to get prepared for GDPR
You need to work out what data you are holding on your customers, what type it is, where you are holding and determine whether it is secure.
1. Document the personal data you hold
Know your data. You need to demonstrate an understanding of the types of data you hold. This could be personal (name, address, email, bank details, photos, IP addresses) or sensitive/special (health details, religious views). You also need to know where this data came from, where it is going, and exactly how you use it.
2. Ensure you can honour citizens’ data requests
Citizens have the right to access all of their personal data, rectify anything they deem inaccurate and also erase all of the data on them that you may hold.
Each request carries a time-frame and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
3. Prepare for data breaches and ensure staff are trained
Ensure your processes enable you to notify the data protection authority of a data breach within 72 hours of becoming aware of it.
Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags. It’s also important that everybody involved in your business is aware of a need to report any mistakes to your Data Protection Officer (DPO) or the person/team responsible for data protection compliance, as this is the most common cause of a data breach.
4. Establish a lawful basis for data processing
Opt-out boxes are no longer good enough. You must now establish a lawful basis for processing data, if it is consent, this must be opt-in only. A citizen will only give their permission for their data to be processed for a limited period of time, for a narrowly defined purpose. Consent may also be withdrawn, so it’s wise to consider what other lawful basis you can use to process data.
5. Check if your company requires a data protection officer
The factors behind whether or not you need such an officer are based on what and how much data you collect, rather than the size of your business. If your central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a data protection officer.
You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data on a large scale.
What to do next?
Take a deep breath. It’s going to be ok. Accept you will probably need to bring in some new processes and policies and start planning your roadmap to compliance.
- Still have questions? Check out the ICO’s Frequently Asked Questions for small organisations
- Download and read the ICO’s 12-step guide, Preparing for the General Data Protection Regulation(GDPR).
- Use these handy self-assessment tools to understand how ready you already are.
- Call the Advice Service for small organisations.
- Still unsure? Come to Adlantic’s training event, GDPR for Marketers on the 23rd of March in Glasgow