GDPR Countdown - What your small business needs to know about the new data protection regulations

21/9/2017

The internet is full of dire warnings about GDPR (EU General Data Protection Regulation). Non-compliance will be punished by heavy fines, they say: you’ve got a lot of work to do to reorganize all your data and mailing lists. You’d better pay a consultancy a large amount of money to help you, is the implied message.

How much of that is really true? And how much of it applies to you?

The answer, if you are a business employing fewer than 250 people and holding only standard data (such as a payroll), is: hardly any.

GDPR is really aimed at large corporates such as Yahoo, TalkTalk and O2, who have been careless with our data in the past, let hackers get their hands on it, and then not said anything about it for many months. The most recent example is Equifax, which was revealed in September 2017 to have lost 143 million customer records through a data hack four months earlier, in May. In fact, this has turned out to be their second breach – they suffered one in March too, and kept completely quiet about it.

It is companies like this, who have multiple failures and fail to inform the authorities or their customers, who will be paying the large fines.

If you’re a small organisation, especially one with good cyber-security and holding very little personal information about your customers, you’re highly unlikely to come to the attention of the regulators. The only exception is if your business model depends upon the regular processing of significant amounts of personal data. So, if you hold lots of consumer financial details, health records, or criminal records, for example, you should make sure you get specialist advice.

For everyone else, it’s a matter of:

Doing everything you can to protect the data you hold
Removing people's personal data from your records if they ask you to

And

Reporting any breach to the Information Commissioner’s Office (ICO) within 72 hours

So what you should be doing now is:

Making a list of the data you hold on individuals – such as HR files, payroll and marketing spreadsheets
Making sure it’s up to date and deleting anything or anyone you don’t need for your business
Restricting access to the data by using folder permissions or password-controlled access only to those people who absolutely need to use it
Seriously considering encrypting the data
Reviewing your network security
Speaking to any organisations that hold data on your behalf, such as payroll services, to ensure they are taking the right steps
Holding off buying or importing any mailing lists until all this has settled down and you can be certain that for all the contacts on the list there is an auditable record of consent
Making sure you know the ICO number just in case you suffer a breach of your system

Keep only the data you need; look after it carefully; and ‘fess up immediately if you ever suffer a breach. Follow these three golden rules and you should never have cause to fear GDPR.