The Regulation brings in substantial tightening and toughening of the requirements on SMEs to store, share, send and receive personal data of an EU citizen.
GDPR reflects the increasing importance of personal data since the previous Data Protection Act came into force back in 1998. The Regulation brings in substantial tightening and toughening of the requirements on Enterprises and SMEs to store, share, send and receive personal data of an EU citizen.
Note: Britain is still in the EU on the date that GDPR comes into force.
Personal data is defined as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
This is where a large number of Companies and SMEs are going to struggle. Companies and SMEs are obliged to not only comply with but to also prove their compliance with GDPR. Businesses are expected to design, develop and implement business processes for products and services that ensure that data protection is a significant consideration of the business process. You will need to adhere to the principles of Privacy by Design and Privacy by Default (Article 25). Such measures may include data encryption (Recital 78).
How is a Small Business going to go about proving that they are compliant with the act? Especially when they have customer data on several different spreadsheets across several different functional areas of their business. Why is this important? The maximum fine for failing to comply is €20m. (Granted that it is unlikely for an SME to fall foul of such a fine, but it goes somewhat to prove the seriousness of the Regulation. And remember the UK is still part of the EU when this comes into effect).
So here are the 6 things:
You will need to explain to your clients and customers via updated privacy notices why you are collecting data, what you will be doing with it, how long you will keep it, who will have access to it, and where it will be stored. You will also need to implement a two-step confirmation process for your customers to confirm that they have understood the above.
Unfortunately, even as an SME, you will need to think about the impacts of where and what personal data is stored in your SME or Company, and how it is shared both internally and externally.
You'll need to document how you will deal with a data breach or a ransomware attack. (Yes, even an SME will need this). Make sure that you have processes in place to detect a violation, assess where the infringement occurred, stop further offences and communicate the breach to all customers affected within 72 hours.
Customers have the right to know what personal data you hold and to request an electronic copy of it at any time. You need to have processes in place to be able to locate and deliver the data securely and in a usable electronic format within 30 days.
You will have to prove to your customers that when they request that you delete their data (within specific parameters), that you have done so. You will need processes in place to locate and remove the data.
GDPR applies to your external communications as much as it does to your internal processes. Sharing of personal data such as name, address, or age needs to be done securely, encrypting the data. If you send or receive data from customers or other external contacts via email you will need to ensure that it is correctly encrypted.
There are extensive resources available to help you make sure that you are compliant by 25th May 2018:
Drop me a line for any help on how Cloud-based apps can help you mitigate your risks away from falling foul of GDPR.
Imtiaz is an enthusiastic and innovative Professional, with over 20 years of experience in the Retail, ERP and CRM business areas in the UK, South Asia and the Middle East. PS. When he’s away from running UnifiedApps, he’s also known as a mediocre guitar player :-(
The information and opinions provided do not address your individual requirements and are for informational purposes only. They do not constitute any form of legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances and is not intended to be relied upon by you in making (or refraining from making) any specific decisions.