When the GDPR (General Data Protections Regulation) came into force in May 2018, they caused a lot of extra work for small businesses. But do you still need to worry about the regulations? Benjamin Dyer of Powered Now takes a pragmatic look at the issue
What is GDPR?
The General Data Protection Regulation (GDPR) is the law on protecting personal data, which came into force on 25 May 2018.
Does GDPR apply to my business?
GDPR applies to any organisation that handles or processes personal data.
While the law applies to everyone, businesses that are most under the spotlight will be those handling large volumes of data or who hold sensitive information on individuals like medical history or sexual orientation.
What are my responsibilities under GDPR?
GDPR requires you to embrace protection of personal information "by design and by default". People whose data you hold also have rights which you must respect. This is all fairly complicated. To conform means auditing the personal data you hold in your business, and determining the "legal basis" for each type of processing you do.
You also need to plan how you will process people's data requests, and how you would report a security breach. Reporting any loss of unencrypted personal details from your business is mandatory under GDPR.
GDPR & Data protection documents
Save £5 and pay £30 for a year's access to 740 business document templates. Use code SLD7948.S
How can I comply with GDPR?
The single most important thing, and one that protects your business anyway, is to keep your systems and data secure.
Here are my top tips for achieving this:
- All of your software should be kept up to date, as new security flaws are constantly being found. The ICO takes a very dim view of businesses not updating their software, as this has been the cause of several high-profile breaches of personal data.
- You should have anti-virus software on every machine that you use.
- Computer networks should be "locked down" with a firewall that doesn't allow anything nasty in. Larger companies should get penetration tests ("pen tests") performed by a third party.
- You should make sure you and your staff are aware that all unusual emails are suspect. A lot of hacks happen because people click on attachments or links in email pretending to be legitimate. Get Safe Online has advice on spotting email scams.
- Personal data, including email addresses, should never be left on memory sticks, laptops or websites, unless these are encrypted.
- All of your computers and network gear should be set up with a non-obvious password - especially laptops which can be easily lost or stolen. A single word should never be used for a password, nor one with a single digit before or after that word. These passwords are easily cracked.
- Never use the same password for multiple accounts. Hackers, having exploited one weak point to get your password, will then use this password and your email to try to log in to other places. If you always use the same password, your security is as weak as the weakest link wherever you create an account.
The precautions listed here will hugely reduce your risks of a hack and a fine under GDPR.
What if I don't comply with GDPR?
Maximum fines for non-compliance with the regulations are up to €20m, or 4% of sales, whichever is higher.
However, the Information Commissioner's Office (ICO), the UK government organisation charged with enforcing GDPR, has said that they will not fine businesses that have tried their best to comply - only warning them as a first step. Also, fines won't be levied that would put offenders out of business.
Should I get help with GDPR?
Making us all think more seriously about data security is good, but if you are a smaller business some of the provisions are hard to comply with. Frankly, it might be wise to get professional help to make sure you're on track.
Remember that anyone purporting to be a GDPR expert should know everything contained here, and particularly the limits on fines that the ICO have announced. They should also be familiar with the legal bases for processing personal information, as many people get this wrong.
The ICO itself also has some helpful information on their website.
Good luck!
Written by Benjamin Dyer, co-founder and CEO of Powered Now Invoicing App, helping tradespeople to simplify paperwork and save time.
Data Protection Self Assessment checklists
The Information Commissioner's Office (ICO) has produced a toolkit aimed at small and medium sized organisations to help them work out if they are complying with the General Data Protection Regulation (GDPR). You can use the checklists to make sure you comply with the GDPR and find out what you need to do. The toolkit contains checklists on:
- Data protection assurance
- Information security
- Direct marketing
- Records management
- Data sharing and subject access
- CCTV
Complete the ICO self-assessment data protection toolkit.
Written by Ben Dyer, former CEO of SellerDeck.