The General Data Protection Regulation, or GDPR as it’s now more commonly referred to, is an EU-wide law that aims to strengthen and enhance the existing rules around data protection.
In particular, the aim of GDPR is to protect the personal information that individuals share with businesses, software providers and other organisations. As such, GDPR will affect any business that controls or processes customer’s personal data – which means it’s almost certainly going to impact on how you share and store data in your company.
Here’s our guide to how GDPR will affect your business, and what you need to do to stay compliant with the new rules.
Why is GDPR needed?
In 2017 there were 3.8bn users of the internet – that’s billions of people searching, working and submitting data online. And that means we’re all sharing more and more personal data online than ever before. As the recent Facebook data fiasco has shown, this has created an ever-present need for better protection of your personal data and information.
GDPR has been created as EU-wide legislation aimed at protecting our personal data and giving people a more transparent view of the data companies hold on them.
So GDPR is needed as a proactive (and legally binding) way of pushing businesses to rethink how they handle personal data. As Richard Suswain, our technology partner, points out, GDPR is actually a great incentive to audit your data policies:
“Data protection isn’t a new thing – we already have the Data Protection Act in place. If your business was secure under the old legislation, GDPR is an opportunity to review and update your policies, procedures and the way you handle data.”
Do I need to review my data processes?
The concepts of data protection included in GDPR are the same as under the existing law. What GDPR does is significantly tighten up and strengthen these existing rules.
The key change is the level of transparency for individuals and the level of detail businesses must now provide around what data they hold, and what is then done with that data. So a good starting point is to carry out an audit of the data flows within your business, and to get this all formally documented.
With many businesses now trading online, or using cloud-based software to interact with customers, real care is needed in tracking the online data flows in your business, as Richard Suswain highlights:
“Whatever kind of business you’re running, in 2018 you’re going to be using the cloud to an extent, even if that’s using Outlook or Gmail for your emails to customers. You can’t really avoid using cloud technology now. The key thing is to look at how you’re handling data on both a hard drive and on a server in the cloud, and that’s going to apply to pretty much all businesses, both large and small.”
5 key steps for getting GDPR compliant
On 25 May 2018, GDPR becomes law across all EU countries, including the UK.
So, if you’ve not yet considered the impact of GDPR on your business, where is the best place to start? As our tech specialist, Richard is in the best possible position to lay out the key steps your business should be actioning, so here’s his advice on making sure you’re GDPR compliant.
- Audit and review your data flows – “The big things is documenting what you’re doing from a data flow and data protection point of view. As long as you’re trying to do the right thing, and have detailed why you’re doing it, you’re on the right track. It’s about making a judgement on what you know about your data.”
- Encrypt your IT hardware and servers – “You need to go down the route of having your laptops, your PCs and your servers encrypted. If you’re using a Windows 10 PC, you automatically have a tool on there called BitLocker which is a very simple way to carry out an encryption of your PC.”
- Project your cloud solutions – “With your cloud apps and solutions, it’s about looking at where the data is stored and making sure, wherever possible, that you have 2-factor authentication (2FA) enabled for these apps. You can even go as far as having security encryption tools like Okta across all your systems. So you can assign access policies and bring-your-own-device policies for staff to all the apps you’re using in the business.”
- Consider how your send customer data – “Look at the way you’re transmitting client information from your laptops or PCs. So you need to look at email encryption and how you share information with clients, or you could use a document-sharing portal to remove the need for attachments in emails etc.”
- Update your customer and employment contracts – “You’ll need to communicate your updated data policies in any customer contracts, and new employment contracts will be needed for staff that cover privacy and employment data under the GDPR.”
A chance to get proactive with data protection
Compliance is never the most exciting aspect of running a business, but GDPR provides you with the impetus to really get in control of your customer data and data processes – which, in the long term, will be of great benefit to the company and your customers.
This long-term benefit is something Richard Suswain is keen to highlight:
“GDPR is an opportunity to review your procedures and processes and to improve them. A lot has changed in the world since the original Data Protection Act was enacted, and it’s time to update and revamp your data protection policies in line with this.
There’s been a lot of concern around meeting the May 2018 deadline, but you’ve just got to take a step back, be sensible about GDPR and seek out the relevant guidance.”