General Data Protection Regulations, or GDPR as it’s better known, can feel like a minefield. In the run up to this legislation coming into place huge campaigns were run to ensure that all businesses were compliant with the new regulations; meaning businesses had to make some big changes to the way they handled their data. As a micro business, you may be unsure how these regulations apply to you, especially if you’re just starting out and don’t hold much data just yet.
But as GDPR is so important and not being compliant can have some very damaging effects on your business, it’s a good idea to get your ducks in a row early on. This guide will walk you through what GDPR means for your business, how to ensure you understand your data and responsibility to protect it, and finally how to ensure you remain compliant with these regulations.
What is GDPR?
Let’s take a quick look at what GDPR actually is. You may already be familiar with the term or you may even know it inside out, but for the purpose of this article let’s have a quick recap before discussing what this means for your micro business.
GDPR is a reasonably new legislation put in place in May 2018 by the EU. However, the UK Government has agreed that it will continue to mirror these regulators even after Brexit. The idea behind these regulations is to protect the personal and sensitive information of all EU and UK citizens, giving them more control over their data. This includes the right to access their data and the right to be forgotten.
With so much of our lives now conducted online, we share a lot of our information with businesses and services, whether that’s through social media, online banking, email or when shopping. As a result, businesses hold a lot of personal information about individuals and this new legislation is put in place to protect this from being stolen or shared with third parties and generally ending up in the wrong hands.
How does it affect your business?
The new regulations mean that thousands of businesses across the globe will be affected. The rules state that anyone handling data from EU citizens must comply, whether they’re based in Europe or not. Otherwise they could be banned from working with EU based companies in the future. The result of which is that your business almost certainly will be affected by GDPR in some way.
That said, as a micro business it can be easy to think that these legislations don’t really concern you or that you’re less likely to be penalised than a huge corporation holding millions of people’s personal information. And while there is an element of truth to this, it is always best practise to understand GDPR and put effective measures in place to ensure the safety of your customer/client data, your reputation and to avoid getting a very unwanted fine.
So in a nutshell, if you are a business (no matter how small) established in Europe and you process data from its citizens, then you must comply with GDPR guidelines. Below we’ll look at understanding your data and how to make sure you’re following the rules.
Do you understand your data and GDPR responsibilities?
In order to achieve compliance and make sure you’ve got the most effective systems in place for your business, it’s vital that you understand what constitutes personal data and how you’re processing it. Sensitive data is defined as anything that can identify an individual, so this covers not only the most common information we share online such as our names, email addresses and bank details, but also personal information such as race, religious beliefs and political views.
Another important part of understanding your data is knowing exactly where it is stored and how it is processed. Because GDPR gives citizens the right to access their information whenever they want and to be forgotten if they request it, you need to be able to find this data quickly. Get to grips with your systems in which all data is stored and how it is shared or used on a daily basis. Knowing what data you have will stand you in good stead if you ever receive a data request.
Finally, it’s a good idea to understand your responsibilities when it comes to GDPR. It can be helpful to write a compliance checklist for your business and also to get to grips with any new terminology relating to GDPR. Getting clued up on your responsibilities as a business is a very important part of making sure you’re sticking to the guidelines.
How can your business stay compliant?
As previously stated, a GDPR checklist can be very beneficial for your business. To help you out we’ve put together a list below of some of the simple steps you can take to keep your business compliant. You should:
- Always explicitly ask for consent to store and use the data of your customers or clients
- Create a ‘fair processing notice’ for your customers or users to outline how their data will be used and how you’re keeping it safe
- Ensure you’ve got strong security measures in place to protect personal data
- Understand your data and prepare to meet access and deletion requests from customers or clients
- Train your employees about GDPR and how to report a data breach should one happen
- Consider appointing a Data Protection Officer (DPO)
Should you appoint a DPO?
As a micro business it is not a legal requirement that you appoint a Data Protection Officer (DPO), but it can be a good idea. If you don’t want to hire a DPO, you could simply assign responsibility to an existing employee. If they accept the title, their role is then to take ownership of GDPR compliance and ensure the business is meeting all the correct regulations. This way you know that someone is always ensuring compliance and educating themselves on better ways to keep data safe. But as previously stated, appointing a DPO for your micro business is not a requirement, just a good idea.