As many are aware, the General Data Protection Regulation (GDPR) is a new EU regulation that has been made effective this month. GDPR aims to give the public more control of their data, and pushes organizations of all sizes to take charge of protecting and handling data proactively and securely.
Small Businesses are more likely to find it challenging to comply for the following reasons:
- Lack of professional knowledge
- No knowledge of/regard for data protection/consequences of non-compliance
- Time and/or resources for audits
There are many lengthy frequently asked questions on GDPR guides out there, however if you’re just getting started and you’re unsure of where to begin, this guide will begin to educate you on the regulation and implementations to make within your business.
Read on to discover how to be compliant with GDPR and avoid any hefty fines:
Educate your employees
Ensure your employees, as well as yourself, are aware of the changes GDPR will have on the business as a whole. Run training sessions and encourage your teams to grasp the regulation and understand it as best as possible. Many businesses have made use of outsourcing a trained professional in GDPR to run a training course or give talks in the business.
Everyone within your business must also be aware of the severe consequences of non-compliance. Point out the risks of not following through and encourage everyone within the business to carry out their work in line with the GDPR.
Carry out a data audit
A data audit is imperative to assess your current data practice. It’s also worth mentioning that multiple audits would need to be carried out if you have more than one department. Ask yourself the following when carrying out your audit:
- What data do you currently have stored – is it GDPR compliant?
- Where was the data sourced from – did it have an “opt-in” service to ensure consent for data storage?
- Who/where and how has the data been shared with?
- How will the data be used?
Ensure you have a record of all your data as well as the processing involved in order to comply with GDPR. This regulation has the benefit of keeping your data organized and accessible with ease.
Designate a data protection officer
If your business has over 250 employees then GDPR makes it a requirement to appoint a Data Protection Officer. Smaller businesses still need to ensure they are prepared, and even if they have less than 250 employees, it is still a good idea to consider hiring an outsourced expert – this is beneficial not only to ensure the business is compliant but it also takes a load off the owner to focus on other areas of the business.
Enforce data breach policies
The loss or breach of data should be reported within the first 24 hours; however you legally have up to 72 hours to report a breach. Your business should have clear policies on how to identify and report a breach safely and efficiently.
When reporting a breach, all relevant parties involved must be notified of the consequences. If breaches are not reported then this can result in large fines to the business.
Update your systems to comply with GDPR
Creating or updating new systems for storing data so it is in line with GDPR is essential. GDPR actually gives businesses concise guidelines on how to store, share and receive data, which can aid the tracking of data efficiently.
A summary of steps to GDPR Compliance
- Ensure key employees in every department are well aware of the importance of GDPR implementation and compliance.
- Conduct an information audit that explores the personal data held, where it was derived from and who/how it has been shared.
- Add ‘opt-ins’ to privacy notice.
- Ensure you have procedures in place that allows you to delete personal data upon request to comply with the rights of individuals.
- Update procedures to ensure requests can be handled within the necessary timescale.
- Provide an explanation for how you lawfully process activity in compliance with GDPR.
- Review data capture and consenting methods to analyze if any changes need to be made.
- Ensure there is a capability of verifying age/need for parental consent.
- Ensure procedures are in place to detect and report personal data breaches.
- Know when to conduct a Data Protection Impact Assessment (DPIA).
- Consider hiring a Data Protection Officer or appointing a professional within the business with said duty.
- If your business operates in more than one EU state – determine your lead data protection supervisory authority.‘