I don’t need to worry about GDPR because….
- I’m only a small business.
- I don’t send eshots to people.
- I don’t have any employees.
- The only personal data I have is customers.
- It’s still changing so why should I start now?
- It is mainly aimed at the big corporate businesses
- We are leaving the EU soon anyway!
First, let’s clarify what is GDPR and why is it a hot topic!
GDPR (General Data Protection Regulations) has been worked on over the last 4 years by the EU to bring data protection laws into line. Replacing the previous 1995 directive in the UK. GDPR comes into force on Friday 25th May 2018 this will NOT change even after leaving the EU as it will be enforced by the ICO (Information Commissioner’s office).
What do you have to do now?
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA). If you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR -However we all know it’s not been our focus as businesses owners and if no-one has complained it’s not been a priority!
So where do you start?
5 areas where you need to focus on first:
1. What personal information do you hold and where is it, this includes employees, past and potential (those CVs you’ve filed away!), mailing lists, data in CRM solutions, data accounting software etc. Then select the data you actually need to run your business. If you don’t need the child’s name or wedding anniversary date then delete! If you can move the data to one or two locations it makes it easier to find.
2. Security - one of the biggest risks and reasons you will need to declare a breach is if you are attacked with Ransomware or other cyber-attack that could have potentially accessed your data. Therefore, Cyber security is key, a great example is security of your own home -you wouldn’t lock the front door and leave a window open or leave a key under the mat or hand out keys to everyone, have an alarm and not set it, leave valuables in view from the outside…. if you are not IT savvy then you will need some advice from an expert to put measures in place and policies for people to follow. There are some easy fixes like MFA (Multi Factor Authentication), Strong passwords, and Encryption tools -having a good encryption tool is a good “Get out of Jail” card. If you are attacked with ransomware or even just leave your laptop on a train for example If you have the right Encryption software on all your devices and have the ability to prove it you will not need to declare it as a breach!
3. Processes - identify the critical processes you currently follow to manage personal information at the present, rate them as high risk depending on amount of data and type of data i.e. passport information review them, improve them and document the new process. Make sure the process you are asking everyone to follow is workable and they understand what and why the changes. Do that now and then you can review them monthly
4. Policies - from steps 1-3 you will have identified new policies to follow, whether it’s Password related, moving/copying data, forms you send out etc. Start and create or amend existing ones. Top Tip -prioritise and stagger the role out so your team aren’t swamped with new information to take in.
5. Start talking to your team, suppliers 3rd parties who have any access to your systems or data (i.e. HR consultants, marketing agencies, Accountants/book keepers). They will help you identify where your data is, what they need and why and buy in to making the changes to secure your business 4% of your annual turnover could affect theirs and yours future!
This is just the start and it will identify how much or little time you will need to become GDPR compliant and this isn’t going to go away so you will need to continually review it.
Depending on the size of business and volume of data and the risk factor highlighted in step 3, you may need outside help to challenge what you do and why, and help you implement some of it.
Red Fusion can provide a Gap Analysis report of where you currently stand with being GDPR compliant and easy to understand steps to take to get you there, the report is detailed as we believe in giving you the complete facts, so you can decide how to implement them. We also provide solutions and services as add-ons if required, please click on the below links to our Datasheets related to GDPR.
..or give us a call and we will see if we can help!