The General Data Protection Regulation (GDPR) promises to be one of the most stringent European laws in place, and shall be applicable from 25 May 2018.
For businesses that are based in UK as well as those based outside providing goods and services to the former businesses shall require compliance with the GDPR. While it maintains quite a few directives of the current Data Protection Act with regards to sensitive personal information and sharing, it has been extended to include other specific data as well.
One of the most difficult angles introduced with the GDPR is that as a service provider, you do not need to just comply with the law; you also need to demonstrate that you are complying. For eg., if you currently have a mailing list for approaching potential customers, once the GDPR comes into force, you will also need to prove how you have obtained the personal information on this list, as well as showcase customer permissions for the same. The GDPR shall also do away with generic agreements on the customers’ behalf – no more ‘shall be shared with selected third parties’ convenience be allowed.
As a small business owner, your first step should be to ensure all your current data gets complied with the new laws. The transitional period till when the GDPR comes into effect is long enough for businesses to fall in line with the requirements. You should also take care of the following steps for a smooth functioning later on:
- Decide on where your headquarters are going to be located. Also fix the other establishments to confirm whether they fall under the jurisdiction of the GDPR or not. Any dealings with businesses situated outside the EU shall require to be compliant as well.
- Work out the compliance of your existing data of personal information. A lot of such special data might arise from your own information security mechanisms. ‘Data discovery’ of unencrypted information is a suggested approach to be used there – discovery team members can then decide to either do away with it or apply controls.
- Whether you are a data controller or data processor, the GDPR shall be equally applicable to both unlike past regulations. Your security measures and technical processes shall require to be compliant before you can pick up any new work. If you are outsourcing a client’s work, you will need specific permission from the client to do so. The contract shall also require to meet all obligations as per the GDPR.
- Review your privacy policies and notices. Make sure all involved individuals are notified of the changes and provide their permissions for the same, making your renewed information compliant to the new regulations. You shall need to take care that all the personal information possessed by your business through mailing lists, social connections or other such media can be demonstrated to have customers’ permissions once the law kicks in.
- Set up a breach management system and a risk assessment framework for your business right from the go, especially if your work takes you in hot waters related to information handling. Tighten up your information security processes to ensure no random data floats in or is made available without necessary permissions.
The GDPR is going to take information protection by storm, and the suggested fines for leveling are at a 4% of annual turnover of Euro 20 millions, whichever is greater. As a small business though, all you need to worry about is that your current data and all new information collected hereon is unfailingly compliant to the laws. Your business partners and service providers also require to follow the same obligations, hence, processes and measures will play a major role.
However, it is also going to be very much in your favour as well, given the rising sentiments against privacy breaches by customers. This is going to ensure genuineness, high fidelity and better customer retention for clean and compliant businesses. It can also equally support the service side positively by associating with other high security businesses and verified processes at all times. Do let us know below in comments how you are implementing measures to ensure business compliances are brought to GDPR level gradually.