Who does GDPR apply to?
The GDPR applies to all businesses that have:
- Personnel in business locations of any type (e.g., office, manufacturing plant or distribution center) in the European Union
- Employees, contractors, consumers, customers, patients or other people who are citizens of, located within or currently traveling through the European Union
- Processing that includes some type of monitoring of individuals within, or who are citizens of, the European Union
- Goods and/or services that are available to individuals located within the European Union
Understand your data
The first thing you need to do is understand the data you handle. What details are you storing about your customers, clients, employees (past and present) and suppliers? What elements of that data could be considered sensitive (religious views, medical details etc) and require special treatment? Where does the data come from, how do you store it, and what do you use it for?
If you’re ever audited on your data, these are the first questions you’re going to be asked. And if you don’t know it inside out, then you’re going to fail compliance tests. So, make sure you spend the time now familiarizing yourself with your data
Evaluate your consent policies
If your data requires any consent, then you need to make sure that this consent is clear and explicit. While this could apply to several scenarios, the common one will be marketing – if you contact customers via email, direct mail, SMS or any other channel, you need to be able to demonstrate that you have their consent.
Where it states that consent must be clear and explicit, this means you must be clear on what a customer is opting into receive, and you can’t use any tactics to try and gain that consent that could be considered underhanded – including even having consent boxes pre-ticked. Ensure you’ve got clear consent from anyone you market to, and if you can’t prove that you do, consider asking your database to opt in again.
Write and publish fair processing notices
Under GDPR, you need to display fair processing notices. When an individual gives you their data, your fair processing notice should tell them why you’re holding it, what you’re going to do with it, where else you may send it, and how long you’ll be storing it for.
It’s a good idea to get ahead and write these notices now, so you can publish them before the deadline date. Even if they aren’t a current requirement, the sooner they’re live the better, and it helps show your clients or customers that you’re trustworthy too.
Have a clear out of old data
One of the stipulations of GDPR is that you only store data as long as you need it. So now’s the perfect time to audit your own data and see what you’ve got saved that you know you’ll no longer need. There’s no need to be over-zealous – if you think you may need data then keep it – but destroying any old and unnecessary data now will ensure you’ve less to audit in future, and that you’re already showing you’re compliant.
Understand how to deal with access requests
Anyone whose data you hold will have the right to request access to that information. You need to be capable of responding to that request in a reasonable time. Generally, you’ll have a month to reply, but if the request is particularly complicated, you can extend this by a further two months (providing you can explain why it’s complicated, and that you notify the person requesting the data of the extension within that first month).
So, make sure you’re ready. Ensure your data is in order, and that you’ve got the required admin staff to be able to handle and process these requests. You may want to appoint a member of your team to be responsible for all data requests, making sure they’re trained to reply correctly.
Invest in encryption
You’re responsible for the data you hold, which means if you’re cyber-attacked and your data is stolen, it’s you who is liable. Under GDPR you have to demonstrate how you store data and show that it is safe.
That’s why investing in encryption software may be a wise investment. It’ll help keep your data secure and show any auditor that you take data safety seriously.
Check your supply chain
Unfortunately, it’s not just your business that needs to be GDPR-compliant. You also need to check that any suppliers or contractors aren’t breaching the regulations either. If they are, and they pass data to you that isn’t safely stored or hasn’t been consented to record, then you also become liable.
So, check whether your suppliers are also paying GDPR the right attention and acting to make sure they’re compliant. Also review your contracts with them now – make sure that any liabilities for their own data failings don’t impact your own business.
Train your staff
Finally, especially in a small business where you may not have a dedicated Data Protection Officer or specific admin team who deal with data and requests, you must make sure your staff are trained in what GDPR means and what your business needs to do to remain compliant.
Start planning training sessions now, to make sure all key staff are aware of their responsibilities with data. It’s vital that they’re up-to-speed when the legislation comes into effect, so that they don’t mis-use data and get your business into trouble. They also need to be aware of how to report data breaches or process mistakes, and who to.