It’s not long to go before the much-anticipated (and, in some quarters, highly dreaded) General Data Protection Regulation (GDPR) comes into effect. The new rules, which replace the Data Protection Act (DPA), become law on 25 May. They will apply to any business or individual which processes any form of personally identifiable information on EU citizens.
These new measures are designed to strengthen and unify data protection for people across the EU and, among other things, will also address the export of their personal data to countries outside the area. Some of the existing DPA rights have been altered while other entirely new ones have been introduced, such as a right to data portability; an extended right to be forgotten; and an enhanced subject access right.
Data controllers and processors will be required to provide proof that they are fully compliant with the new legislation. Failure to do so has the potential to be a costly affair with penalties as high as €20 million or four per cent of annual global turnover – whichever is higher – for those who don’t comply.
No wonder some companies are dreading the imposition of these new rules! The penalties certainly are a major escalation from the maximum £500,000 fine for falling fowl of the DPA, something which has so far not been imposed within the UK.
While we don’t claim to be expert advisers in the field of GDPR, our business (like many others) has under-gone the toil of preparing for this new legislation. The measures we have taken and the simple processes we’ve put in place can be followed by many other small businesses which are concerned about being compliant in time for the 25 May deadline.
As a creative agency which specialises in digital marketing and holds a huge amount of data within our business, our starting point was to ensure our own team was fully aware of GDPR and what it means to both our business and to our clients.
If you have not yet had this internal chat, I would strongly suggest you make it a priority. It is worth considering bringing in your company lawyer or an external expert to hammer home some of the finer details of the legislation and the implementation timeline.
You should then identify all key areas including clients, suppliers and your own business processes where personal data is held. Once you have made this assessment, you should identify key people within your company, based on their remit, who can take responsibility for each area needing attention. The person who handles HR, for example, would likely take responsibility for staff data while a sales director would cover customer data, etc.
The tasks that follow include, identifying key contacts, requesting supplier policies and certifications as well as the full information on the data they hold. A document that charts all the key deadlines for tasks is helpful. It is also advisable to hold regular update meetings with your key people throughout this process.
Full details of GDPR can be found online. There you will see how fairness, transparency and confidentiality in handling personal data for both clients and staff are the key principles behind the new rules. It is therefore important to carry out an analysis of all your data records and ensure it complies with these principles.
After you complete this mapping exercise, you must identify the data you no longer need to retain and delete it from your system. Processes should be put in place to reassess the data that you do retain within your business on an ongoing basis to ensure that only relevant records are kept on file.
Communication with your customer base is an essential aspect of getting your business GDPR ready. We prepared a generic letter with a brief outline of what we were doing as a business to ensure we were becoming fully compliant, explaining that the new legislation meant we could no longer retain any current data on any client without a business justification.
It is acceptable to ask a client for written consent to keep their data on file, allowing them to check and/or change details of existing records. To ensure you don’t lose active customers, it is important to include a caveat within this communication that the absence of a written request by a specified date to retain their data means it will have to be deleted from your system.
A key part of preparing for GDPR is ensuring that your business’s future administration processes are in proper order. When completing the tasks set out above, it’s really important that you update these processes. You should, for example, look at consent forms, HR, client and supplier contracts and any other areas where you collect data to ensure they contain the right fields that enable them to be retained for only as long as they are relevant to your business
Small businesses which do the hard work to become GDPR ready should let the wider world know about it. Once the above steps are followed you can apply for Cyber Essentials accreditation which allows you to do just that. This can be displayed on your website or as an email badge.
With it not long before GDPR goes live, you’ll need to get your skates on if you have not started the compliance process. As we have demonstrated within our small but thriving creative business, following some simple processes getting a small business compliant need not be as daunting as some fear.
Colette Reid is group services manager at creative consultants LEWIS