Countdown to GDPR- SMEs are you ready?
Not long to go till GDPR comes into force from May 25th. But as an SME business are you really impacted? That is a big yes, I'm afraid. There are no exclusions or exemptions for small business.
If you are storing any personal data in the European Economic Area (EEA) or are storing citizens of the EEA’s data inside or outside of the jurisdiction, you must demonstrate compliance with the regulation. Otherwise face fines upwards of €20m or 4% of worldwide profit.
What are the new rights for consumers?
Without going into every detail of the regulation, some key rights to know for EEA citizens:
What can I do?
A key statement that appears to be coming from experts is that you need to ‘demonstrate compliance’. There are some simple steps you can start to do before May 25th.
If this all seems overwhelming, start with the quick wins. You can easily write out a policy note for your business as to how you plan to source and manage all forms of personal data coming into your business.
Remind staff to be careful with how they deal with personal data they source on your behalf. Finally, don’t forget to check with any employees or consultants you work with. Have you asked for their consent to keep and use their personal data?
If in doubt do get in touch with data management and security companies. Try and attend any events coming up, but do not get duped into paying thousands for advice. Finally, an exercise you should try and find time to do is to map how data comes into your business.
The aim of the exercise is to consider all the ways you source and store data. Then per database/repository/ source work out the type of data you have.
For example, you may have a newsletter sign up on your website, plus collect details on the road/in a shop etc. You may also have people dropping in CV’s to your business, emailing CV’s, how do you store employee data when they join? How are you disposing of personal data?
At the entry point, you may have several types of data coming though. So it is important to classify these types of data and design your policies to cater appropriately. As you follow the journal per type of data, you may only have one repository or several. You might realise some data is no longer required for your business. A great opportunity to delete. Plus it may help you consolidate some of your methods for data collection and management.
While the new regulations seem daunting, you still have time to start the process of compliance. It will depend on your business, but set yourself weekly tasks/targets and delegate to employees tasks to support you.
By doing nothing at all, you are ignoring a major piece of guidance form the regulation - 'demonstrate compliance'. Doing something is always better than doing nothing at all.
We just sent you an email. Please click the link in the email to confirm your subscription!
OKSubscriptions powered by Strikingly