The new General Data Protection Regulation comes into force on 25 May, 2018. It’s the biggest change in European data protection laws for two decades. So, it's probably about time. Think about it... when the last Data Protection Act was passed in 1998, the UK watched its first DVD, we last hosted the Eurovision Song Contest (remember Imaani - she came 2nd), and Ross was marrying Emily in Friends. It was a (millennial’s) lifetime ago, and much of the dated legislation is now inadequate in the modern digital age.
The GDPR will introduce a new set of rules around privacy and data security and the financial and legal penalties on violations will be severe. SMEs are not going to be exempt. The compliance deadline is now only five months away, and, as late as last November, the small biz community was still fairly unprepared for the changes they will have to implement. And we know what you might be thinking: unfortunately, Brexit is not going to be a GDPR get-out clause, because the May deadline falls well before the UK leaves the EU in 2019.
All that said, don’t panic. Some core elements of the GDPR are not so hugely different to the current Data Protection Act, so if you’re already DPA compliant, then that’s a great start. The new legislation covers the secure collection, storage and usage of personal data, and its main concept is to give individuals back control of said personal information and what’s done with it.
Consent and the ‘right to be forgotten’
Businesses can no longer use pre-ticked boxes on online forms to cover all uses of customers’ data. The new GDPR rules around consent means separate, unambiguous permission must be obtained to use acquired data for different things. Permission given for marketing will not cover support, and vice versa. Legal contracts must be crystal clear on what the data will be used for, and furthermore, there must also be a record kept of when consent is given.
Consent is no longer permanent under GDPR, and all individuals have a right to erasure of any data a company holds about them. Customers can ask for data to be frozen, or for a copy of it, which must be provided within a month of the request. You must ensure your systems (and personnel) can potentially cope with multiple requests by customers. If your CRM system isn’t highly organised, it will soon have to be.
Digital security and third-party processors
Data must be protected, and depending on how sensitive it is, encrypted from the outset. Personal data breaches – which could be as major as hacking, but as minor as sending the wrong customer the wrong email – could incur serious penalties. You and your employees will need to know what constitutes a data breach, what constitutes a high risk breach, and you must have processes put in place to handle them.
Obviously, as a small biz, you’re less likely to have dedicated IT people, and you’re also more likely to rely on third-party companies for order processing or cloud storage (companies such as Basecamp and Google already have statements on their approach to GDPR compliance). If any of these external ‘data processors’ are handling your customers’ sensitive data, the onus is on you to check their compliance is sufficient.
Suffice to say, there is a lot more to learn and not a lot of time left to do so. For further reading, you can head straight to the ICO and read their official GDPR advice for small businesses as well as the 12 very practical steps to take. Do feedback as to how you get on - we're all in it together!