GDPR 101 for Small Business

Many of you will have heard lots about the changes in data protection legislation in Europe and UK from May 2018. There’s loads of information out there and the Government website has lots & lots of dense information too so we thought we’d spell out the basics for you to think about and consider to make sure your are GDPR ready.

The main thing to remember is that this new legislation has consent at the heart of it. As a small business you have to be able to provide a complete audit trail of all the data that you hold on any individuals including screen shots and ticked consent forms. Simply asking a person to tick a box not to receive information from you is no longer good enough. Individuals must expressly request to be in your data lists and they also have the right to be forgotten….forever. Any breaches of security has to be reported within 72 hours and all your data should be held securely.

What does this mean in real terms?

  1. What is data? Any information that can identify an individual including their date of birth, address, full name, email address etc.
  2. Consider the location of data you already have about your customers. Where is it held? If it’s on a hard drive in your office, then consider transferring it to a secure cloud account in the event that your hardware is stolen. Think about using online software to manage your data like Mailchimp or a secure eCommerce portal.
  3. How did you get the data you hold? Was it automatically gained when individuals showed and interest in your business or when they bought from you? Did you expressly explain that you would hold their data? If there is any doubt, you need to consider removing them from your data or expressly re asking permission as a fresh start.
  4. Do you have a robust system that means any individual that is included in your data can quickly & easily be removed from your list forever? This system needs to ensure that they can’t accidentally be re added at a later date by your software or by you personally.
  5. Do you have a truly valid reason to hold data on any individuals? You need to explain why hearing from you might be beneficial to them as best practice. This will help cement your reputation and keep you on the right side of the law.
  6. Be sure that there is no way you can share data on individuals by accident or intent.
  7. GDPR is new and complex and there’s new help and information out there all the time, so above all, make sure you stay in touch with the information and updated.