What is GDPR? - A Helpful Guide for Small Businesses
The General Data Protection Regulation is set to change the face of information use across the world. Applicable to all businesses in the EU, and even international companies outside the EU, the new regulations require businesses of all sizes to adapt and account for their use of personal data.
While many think it will only affect huge corporations and tech giants, it is just as important for small and medium sized businesses. Any processing of EU citizens’ information, from marketing emails to IP addresses and even voice calls will require stringent policing. This guide is to help you prepare for GDPR and ensure your company doesn’t get hit with fines.
What is the GDPR?
Simply put, the GDPR is a new set of regulations introduced to protect individuals’ rights to know what personal data and information is collected and how it is used, stored, and destroyed.
The European General Data Protection Regulation (GDPR) is built upon two key concepts.
- Giving citizens and residents more control of their personal data
- Simplifying regulations for international business with a unifying regulation across the European Union.
Per the Information Commissioner’s Office, the understanding of what is ‘personal data’ has been updated to include ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.’
The importance of this definition cannot be overstated as the GDPR goes on to clarify:
“[A]n identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This means that everything from IP addresses to hair colour can be considered identifiable information and thus personal data.
What Can I Do as a Small Business?
While GDPR may seem to be full of confusing legal jargon there are easy, practical ways to ensure you safeguard your company from damaging contraventions. We’ve broken these up into the general departments of an SME to make it easier to understand and plan but first…
Audit and Spring Clean
Your first concern is to audit the information in-house. It is integral to dedicate resources and manpower to organising your house. Emailing lists, client information, account details, customer preferences, addresses and any other information that may be deemed ‘personal data’ should you be checked for inaccuracies, collated, and monitored. As a start, you should”
- Ensure any incorrect data it is corrected and made current at the consent of the persons concerned.
- Collect data and save it in a secure location under the control of a dedicated data security officer. The format of the data should be universal and accessible for the ICO or individuals requiring access.
- Destroy out-of-date data and information that no longer serves a purpose. This differs according to your sector as a hotel may need to keep details for a few months while a construction company may need to keep the information for several years. Establish what is a reasonable period of time and destroy the data that falls outside this time frame.
This practice extends to third parties such as suppliers and contractors. Due diligence is key as companies indirectly associated with security breaches may be subject to ICO investigation.
Sales and Marketing
Consent is the primary concern with the new guidelines. As such, sales and marketing teams that rely on email lists, call lists, and other marketing data will need to update their processes.
Check what your current consent protocols are and if they meet up with GDPR regulations. Set out in the GDPR, consent should be given by a clear affirmative action. No auto-checked boxes on cookie policies, silent affirmation, or inactivity count as consent. Furthermore, consent cannot be tied to other clauses like joining an email list or subscribing for a third-party service. Data usage consent must be given affirmatively and with no strings attached.
Call centres are also subject to these regulations and must ensure callers actively agree to their data being collected for use. Do not email and do not call lists, must also be updated and screened for people who have rejected the use of their data.
Questionnaires and the like will need to be clear in their reasoning and use of the data therein. It may also be necessary to get consent for each instance of a questionnaire as well as documenting when you intend to delete the information gathered.
These changes will have an obvious effect on sales leads and lists. While it may reduce the number of leads, the affirmative consent will help you find parties interested in doing business with you. The ICO have a useful Direct Marketing Checklist to help you plan your GDPR guidelines.
With so much data collected and stored online, development teams will be an integral part of updating systems to meet GDPR. Website security, database protection, and any other security measures are paramount. Similarly, the IT division at your company will also have to ensure data is securely disposed of and, in the case of a security breach, create systems to inform customers and potentially the ICO.
Web and IT
With so much data collected and stored online, development teams will be an integral part of updating systems to meet GDPR. Website security, database protection, and any other security measures are paramount.
Similarly, the IT division at your company will also have to ensure data is securely disposed of and, in the case of a security breach, create systems to inform customers and potentially the ICO.
HR and Internal Affairs
HR and internal affairs are almost certain to need GDPR updating as they handle employees’ personal information. From payroll to annual leave and sick leave, this data needs to be secured and managed. As stated above, out-of-date or incorrect data will need to be destroyed in a reasonable amount of time.
For the sake of everyday life, it is impractical to get affirmative consent for actions between employer and employee. As a rule of thumb, consent is a given as long as data usage is for legitimate concerns and within the contract of the employee. However, should employees leave the company, their information should be disposed of in a timeous manner.
This doesn’t mean the employer has no power as requests for access to personal information can be rejected on the grounds of unfounded or excessive requests. To ensure all parties are on the same page, you should create GDPR compliant notices to inform, engage, and create understanding between you and your employees.
Recruitment will also be affected as CVs, applications, and portfolios will need to be protected under the GDPR. This means getting express consent from individuals to use and potentially store their information for future roles.
Accounts and Finance
Given the sensitive nature of the information in these departments, the GDPR will probably see the smallest effect here. Sage’s general rule is a good starting point for the Accounts department, stating;
“A good rule of thumb is that, unless the accounting data is linked to an individual, then there should be no issue.”
In most cases, accountants already have contracts in place to govern the use of data and information between two parties. While it may be easier it is still worth going over the processes to make sure all your departments are in line with the new regulations.
These tips are intended to point you in the right direction and give you an idea of what the GDPR will mean for your business. Consult legal counsel, the ICO, the European Union or GDPR experts for exact legal advice on your company and the changes necessary. All these changes may seem tasking but with planning, implementation, and maintenance you can ensure your small business abides by the GDPR guidelines.