With the introduction of GDPR which came into force on May 25th, 2018, it became much more crucial for businesses to ensure any data they hold is protected. Whether this is contact information for clients or payment details from customers, once this legislation had passed, companies were under much higher scrutiny to ensure their systems were safe. But how can a business control their data protection, and what measures can they put in place to ensure anything they hold is not hacked into, stolen or leaked?
What is GDPR?
GDPR, or the General Data Protection Regulation, is a data law that was introduced in 2018 to replace the previous Data Protection Act 1998. This legislation is much more in depth and detailed than the previous act, with much higher and more damaging penalties for businesses that don’t follow the rules.
Essentially the regulation is a set of guidelines around the collection and processing of personal information from people who live in the EU.
Why is it important?
For businesses of any size, the main reason to comply with the law is to avoid the astronomical penalties. The maximum fine for breaching the regulation is around £18 million (approximately €20 million) or 4% of your annual turnover, whichever is higher. If you’re a small organisation it can be particularly damaging, especially if you are still aiming to boast a profit each year.
Another important reason to comply is to ensure there is a level of trust between you and both your employees and customers. Not complying can cause a rift and potentially result in a loss of custom and a higher employee turnover. Your workforce and clientele both want to know their all-important, private information is as safe as it can be in your hands, and that it won’t be used in a way that it shouldn’t. Without this level of trust, you could be damaging more relationships than you think.
What a business has to abide by
There are 7 essential principles of GDPR that you must follow the ensure you both understand the implications of not complying, and understand how you can protect you and your business.
1. Transparency: From the word go you need to ensure you are open and honest about how you use people’s personal data and why. You’ll need to have updated privacy policies produced, and these will need to be written in clear, plain language that is easy to understand by all. If it’s written in legal jargon that isn’t accessible, you could face issues.
2. Minimisation: It’s important to only collect personal data that is relevant and necessary to fulfil what you need it for. You’ll need to decide as a business, what the minimum amount of data you will need and what the purpose is. For example, if you are shipping goods, you will need to collect a name, address and payment information. You do not need to know any other information than this.
3. Purpose Limitation: No matter what data you wish to collect, you’ll need to define your purpose for processing it. This will ensure the person who’s data you are collecting understands how their data is being used, and decide whether or not they’re happy to share it with you.
4. Retention: This means you will only keep personal data for as long as is necessary. Depending on what you use the data for, will determine how long you will keep it, but either way you will need to define this.
5. Security: Your business will need to carry out a risk analysis to identify any areas where your data security could be lax. Are all of your computers protected? Do you have updated software in place? It’s good to introduce a number of best practises to your business to ensure all employees are compliant.
6. Accuracy: It’s your responsibility as a business to ensure any personal data you hold is not misleading – it will need to be kept accurate and up-to-date. With periodic checks and audits, you’ll be able to recognise any mistakes or discrepancies allowing you to resolve and make any changes swiftly.
7. Accountability: As an employer and business owner, it’s your responsibility to ensure you remain compliant with the regulation. That way you’ll be protecting your employees and customers. Having internal policies and procedures in place, as well as security checks and customer facing documents, will ensure you’re doing all you can to remain accountable.
Ensure security measures are in place
GDPR is a minefield. Understanding the rules, regulations and potential penalties can be overwhelming for many businesses. Bringing on board risk consultants to help you ensure you’re doing everything you can to be compliant and to spot any potential risks, can be a huge benefit. Make sure you take the time to become as clued up as possible, that way you’ll avoid the wrath of your customers and employees in the future!