European data protection laws are going to come into force on 25th May 2018 and businesses need to be ready. These new laws will affect all businesses in the UK and the current Data Protection Act (DPA) will be updated to reflect the new obligations. The GDPR has a greater scope, with much tougher punishments and judicial remedy for those who fail to comply with the new rules surrounding the handling and storage of personal data.
Why are these rules being introduced?
The rapid increase of the internet and technology development has resulted in the current DPA being ineffective. The ease of data collection now means thousands of Small and Medium-sized Enterprises (SMEs) can collect, store, move and access personal data all online. Personal data is used for a multitude of reasons, but this growing ease has also increased cybercriminals behaviour. Major data breaches have given criminals access to names, birthdates and addresses as well as much more information. Therefore, SMEs are more likely to be targeted by cybercriminals than large, corporate counterparts. Thus, the GDPR is proposed to be a necessity for the protection of data in our modern society.
What does GDPR mean for SMEs?
With the change, it will ensure that businesses must keep a detailed record of how and when an individual gives consent to store and use their personal data. This means a positive agreement and cannot be a tick box. If customers or individuals have to right to withdraw consent and if they do, their details must be permanently erased.
In the time leading up to the start of the new law, businesses should review their existing data and delete any that they do not have a valid reason to hold, i.e. the personal data is needed to perform a business contract. Data should be kept secure and this will require a review of current practices to prevent data breaches, thus planning for it now.
A checklist to help review your data for GDPR
In advance of the change, GDPR expects businesses to put into place comprehensive but proportionate governance measures. This checklist should help you prepare for this. Document the actions you are planning to take and not the changes, if you need help with this you can seek an external consultant.
- Review all data and ask: ‘why is it held?’ ‘Do I still need it? ‘Is it safe?’
- Look at consent procedures and privacy notices on your site and terms of business. Do customers get to positively agree to hold their data? Document the reasons you hold data e.g. consent, legitimate interests, legal obligations, etc.
- Plan how to handle data and the right to withdraw data requests within the new timescales.
- Look at the processes to handling and storing data, identify any problem areas and decide how you can reduce the risk of breaches. You may need to identify new technology to help you comply with the GDPR.
- Document the procedures you have in place to detect, report and investigate data breaches and let everyone in your business know about the new policy.
If you run a small or medium size business and require help with accounting please contact us on 01908 046964