GDPR and Small Businesses
General Data Protection Regulation
The NEW General Data Protection Regulation (GDPR) is due to come into effect in May 2018. That might sound a long time away, but preparing for the GDPR’s requirements is not something to leave until the last minute. Clubwifi has been preparing for this change with new systems and upgrades since the beginning of the year.
Small businesses that capture, store and handle personal data may have to make changes to their data handling policies to ensure compliance, and punishments for offenders will be tough. Personal data is information that could identify or help to identify a living person, such as a name, identification number, location information or “online identifier” (like an IP or email address, or even social media posts).
GDPR is probably overdue!
GDPR is an update to the Data Protection Act (DPA), which first came into force in the 1990s. The DPA dates from a time when only the largest companies could afford to collect customer data and even then did not always have the wherewithal to do much with it. Since then, data collection has become commonplace and thousands of SMEs use it to aid their sales and marketing efforts. GDPR was developed to reflect these changing circumstances.
If you are currently subject to DPA, you’ll almost certainly be subject to GDPR.
Perhaps most importantly for SMEs, under the new regulations companies will not only have to get the clear and unambiguous consent of their customers to store and use their personal data, they will also have to keep a secure record of how and when that consent was granted, what it was granted for and for how long.
As an SME you will be expected to be able to produce a clear audit trail of consent.
And importantly, that consent will have to be positively given. Assuming consent from a pre-ticked box, or inaction on the part of the customer, will no longer be acceptable. This has to be an opt-in, rather than opt-out, process. In other words, if you use tick boxes, they have to be left unticked.
Delete and Forget
As importantly, your customers will have the right to withdraw their consent at any time, and withdrawing consent must be as easy to do as giving it. Individuals also have the “right to be forgotten”. That means you will need to know exactly what data you hold on a customer and where it is stored (server, PC, cloud, filing cabinet?), so that you can delete it permanently if a request is made.
If you suffer a data breach, you need to be prepared to move quickly. GDPR states that relevant authorities must be informed within 72 hours of a breach happening, with details of the number and types of data record affected. For SMEs, that means you need the monitoring tools in place to recognise and act on a breach almost as soon as it happens.
While these requirements are the most obvious ones affecting SMEs, there are much more. Depending on your business and sector, and what you actually do with personal data, implementing GDPR may require an information audit in the first instance, so you understand exactly what information is stored, where, and for what purpose. It may also require a change in company culture, with staff assigned to proactively monitor consent trails and data storage protocols, ensuring that best practice – in accordance with the stipulations of GDPR – is always followed. Not doing so could result in hefty fines.
This is just a summary of some of the main points of GDPR. For more information, the Information Commissioner’s Office is a great place to start.
Contact Clubwifi for the latest updates to our systems regarding GDPR.
If you would like to know more - please contact us on 01626 270140 or email firstname.lastname@example.org
Click image to view and download the PDF Document
PAGE 2 of 5