So, you’ve heard of GDPR but think it only applies to the big boys. You’ve done a bit of reading but don’t quite get it. Four per cent of revenue fines for breaching new data protection rules? Surely micro businesses are exempt, right?
Well, there’s no escaping the fact that the looming General Data Protection Regulation – which will redefine the way companies must approach data privacy – is getting a lot of attention ahead of its enforcement date of 25 May 2018.
Most businesses are busy getting ready.
However, many micro businesses, those with less than five employees, are working flat out and often can’t spare the time.
So, the first thing to say is that micro-businesses are NOT exempt.
You have to comply with GDPR regardless of your size, but there ARE some limited exceptions.
For example, organisations with less than 250 employees don’t need to map all data processing. However, they should still document processing activities that could result in a risk to the rights and freedoms of individuals whose sensitive personal data is being handled.
So, whatever your size, the first thing you need is a readiness plan.
Second, microbusinesses need protection against a security breach.
If you depend on third parties for IT functions or data storage you should ask them for assurances about how they protect your data.
The first step is to request an ISO 27001 certificate from an accredited body.
Internally, you should look at how you manage data access control.
Do you restrict access to systems with unique usernames and passwords?
You should also ensure your malware protection and software patching is up to date. And all data and mobile devices should be encrypted.
How you OBTAIN consent is changing. You need to be much more precise with customers about what you will be doing with their data. And the definition of sensitive personal data is becoming broader.
As a result, a micro-business may find much more of its information is in scope pf the new regulation.
Fourth, every organisation is facing the challenge of proving GDPR compliance when requested. So they should undertake a data protection impact assessment to provide an estimate of the risk of non-compliance.
Fifth, consent to handle customer data should be explicit, freely given and unambiguous. So, you should be upfront and honest with customers on what you intend to do with their data; tell them who is going to have access to it and how long it will be kept for. You must also make it easy to withdraw consent. Make sure approval requires an affirmative opt-in. Don’t use pre-ticket boxes or other methods of default consent.
Finally, just the most basic understanding of what is coming SHOULD encourage you to seek expert advice.
The Information Commissioner’s Office guide to IT security for small business is a great resource.
Get the guidance now – don’t wait until something goes wrong.
Bilal Khan, head of compliance, Daisy Group