Celebrating the people behind British small businesses
 

How to ensure your business is GDPR compliant

By Richard LeCount, Owner and Director of USB4photographers.com and USBmakers.com.

As the date for GDPR compliance nears, more and more news of data breaches, fines and the like are becoming much more common. So, how do you become compliant? And, what is involved?

GDPR will be enforced on 25th May 2018 – It’s just weeks away. As such, you’ll likely have seen a flurry of emails about changes to privacy policies and opt ins. But, there’s a little more to it. Firstly, you need to understand what it is and what it means to your business.

So, what is it?

GDPR (General Data Protection Regulation) sets out to replace the outdated Data Protection Directive and will affect all who handle data relating to anyone in the UK or EU.

It’s all about following “best practice” to provide the public with greater control of how their data is used. It aims to improve the management and sale of data, while reducing its misuse.

Those found in breach of the new regulations can be fined up to 2% of their annual turnover or €20 million.

What does it mean for your business?

It’s all about accountability. It makes you responsible for complying and demonstrating that you’ve done everything in your power to protect the data you manage.

To become compliant you’ll need to address your data management processes and be transparent with your customers, prospects, suppliers and partners about how data on them is held.

Here’s what to do:

Audit your data – GDPR requires you to only collect the data necessary for you to provide quality services or products and maintain communication. Plan out what data you need to collect and safely delete any unnecessary information.

Contact third party suppliers – List out all third-party software suppliers, ask them whether they’re GDPR compliant and what their policies are. This includes, CMS systems, CRM software, cloud accounting packages, cloud storage, etc. Where necessary, put written contracts in place with organisations that process personal data on your behalf.

Assess your current processes and revise them – Whether you take payments online or not, it’s vital your website is secure. Ensure your website has an SSL certificate, updated privacy policies and terms and conditions, which clearly detail what data you collect, how you use it and the security in place to protect it.

Address data storage – It’s important to map out where your data is stored to enable you to review how you handle it, delete it and pass it on. You won’t be GDPR compliant without addressing USB data loss, so it’s recommended that you encrypt them, which means only the original authorised user can read them.

After 25th May

Once you’ve assessed your data and have clear processes and policies in place you’re almost there!

To ensure you’re compliant after 25th of May, it’s recommended you do the following:

  • Appoint a DPO (Data Protection Officer) to manage your data and report breaches.
  • Follow processes to ensure you can prove consent to contact individuals beyond the original transaction.
  • Train all staff to manage and maintain data protection in line with GDPR.

For more information, visit the USB Makers blog here.