Not long to go till GDPR comes into force from May 25th. But as an SME business are you really impacted? That is a big yes, I'm afraid. There are no exclusions or exemptions for small business.
If you are storing any personal data in the European Economic Area (EEA) or are storing citizens of the EEA’s data inside or outside of the jurisdiction, you must demonstrate compliance with the regulation. Otherwise face fines upwards of €20m or 4% of worldwide profit.
What are the new rights for consumers?
Without going into every detail of the regulation, some key rights to know for EEA citizens:
- EEA citizens are entitled to know where their data is and how it is being used.
- They are entitled to be informed if their data is being sold to a third party and who that party is.
- They have the right to ask you to send all the details you have on file about them, this can include emails.
- Consumers can request for their personal data to be deleted from your records.
- If they unsubscribe from a mailing list, and you add them back on, they can report you.
- Former employees can ask for their HR files and can request for their details to be deleted.
- Current employees can also ask for some of the personal details to be removed from your systems.
- We may see some interesting employee dismissal cases in the future, be careful what you write about someone over email!
What can I do?
A key statement that appears to be coming from experts is that you need to ‘demonstrate compliance’. There are some simple steps you can start to do before May 25th.
- Nominate someone to be your data controller. This might be you.
- Have you got a mailing list? If so, do a circular and ask people if they still want to be on your distribution list.
- If collecting customer details in the future make sure you ask for consent. Either a tick box and statement on a paper form or online.
- You cannot use double negatives for consent. It must be a straightforward ‘can I add you to my mailing list’. Not ‘Please untick if you do not wish to join the mailing list’.
- Do a review of the types of personal data you collect. Ask yourself – why do I ask for it, do I need it and are their pieces of data I can now delete?
- Document or create a file with your data control policies. This is up to you how long or short it is, but have a policy.
- Never save personal data to an unencrypted computer. Use a secure online cloud service or encrypt your computer.
- A password on your laptop may not be enough, think about fingerprints, facial recognition and other encryptions for your laptop and devises.
- Be careful what you send over email. Having a free Gmail or Hotmail account may not be as secure as you think. Check your email providers GDPRs policy.
- Never put personal data in domestic bins.
- If someone gives you a business card don’t assume they are happy for you to add them to a mailing list.
- Be careful buying mailing list or using old lists from prior employers. Those people gave consent to your old company, not necessarily for you have those details.
- Check with your data management provider where their servers are. You may have engaged a Germany provider, but are their cloud servers based in the US or Australia?
- If in doubt ask the person for consent.
- Create a data risk register.
If this all seems overwhelming, start with the quick wins. You can easily write out a policy note for your business as to how you plan to source and manage all forms of personal data coming into your business.
Remind staff to be careful with how they deal with personal data they source on your behalf. Finally, don’t forget to check with any employees or consultants you work with. Have you asked for their consent to keep and use their personal data?
If in doubt do get in touch with data management and security companies. Try and attend any events coming up, but do not get duped into paying thousands for advice. Finally, an exercise you should try and find time to do is to map how data comes into your business.
The aim of the exercise is to consider all the ways you source and store data. Then per database/repository/ source work out the type of data you have.
For example, you may have a newsletter sign up on your website, plus collect details on the road/in a shop etc. You may also have people dropping in CV’s to your business, emailing CV’s, how do you store employee data when they join? How are you disposing of personal data?
At the entry point, you may have several types of data coming though. So it is important to classify these types of data and design your policies to cater appropriately. As you follow the journal per type of data, you may only have one repository or several. You might realise some data is no longer required for your business. A great opportunity to delete. Plus it may help you consolidate some of your methods for data collection and management.
While the new regulations seem daunting, you still have time to start the process of compliance. It will depend on your business, but set yourself weekly tasks/targets and delegate to employees tasks to support you.
By doing nothing at all, you are ignoring a major piece of guidance form the regulation - 'demonstrate compliance'. Doing something is always better than doing nothing at all.