The General Data Protection Act (GDPR) made the headlines in May 2018 when it was officially introduced. And principally those headlines centered around the fact that not a single business felt that it was adequately prepared for the new rules, and had an extremely panicky couple of months attempting to ensure that they were in full compliance.
This led to virtually everyone in the country getting an inbox full of GDPR compliance-related emails – some requesting consent apparently previously unobtainable, and others simply informing that their data would continue to be used and that it was possible to opt out. Altogether it was a confusing for businesses and even more so for customers.
However, if you are thinking of starting up a new business then it is important that you are completely GDPR compliant immediately, so the onus is on you to understand the rules and regulations. Here is a guide for what new businesses need to do in order to take steps towards GDPR compliance.
What is the GDPR?
The GDPR is a regulation initially introduced by the European Union (EU) but that has been transposed directly into British law as the Data Protection Act 2018. Effectively the regulation was designed to provide individuals and customers with more control of their own personal data that is being used or held by companies, but also to unify and simplify the regulations for businesses that process any kind of personal data.
The GDPR currently applies to any business that holds, processes or uses the personal data of any EU citizen (including British citizens), and Brexit will have no impact on the need for organisations in the UK to be compliant. Size is not a factor – all businesses that process data are required to be compliant.
Failing to comply with the GDR can result in extremely heavy fines. Where the previous maximum fine had been £500,000, under the GDPR organisations could face fines of up to €20 million, or four per cent of annual global turnover – whichever is greater.
Establish how you are gaining consent to process details
One of the key principals of the GDPR is that businesses need to have consent to hold personal data, sometimes this consent is gained through the obvious need to store details (such as if a customer has processed a transaction through your site), but in other situations consent needs to be obtained in order for data to be used.
For example, just because an individual has signed up to receive your business’ monthly newsletter it is does not mean that they consent to receiving daily marketing offers from you. The GDPR makes clear that in many cases, consent needs to be gained explicitly rather than through previously used phrases such as: by using our website, you consent to have your IP address stored.
Understand the data that you process
To comply with the GDPR you need to have an understanding of the data that you are going to store, hold and process. For example, if you process payments then you will be taking data such as names, email addresses, bank details, contact numbers and much more. This is one form of personal data, but it also applies to information such as health details and religious views.
You need to have a system that allows you to quickly recall, modify and entirely delete records, as well as providing individuals with their own data, if requested.
A focus on security
The GDPR takes data security very seriously, and it is important that your business does too. You need to put policies, measures and defenses in place to minimise the risk of your business being breached and losing customer data. Breaches need to be reported within 72 hours of your business being made aware, you need to have the ability to act quickly during an attack.
Ultimately, many new businesses would benefit from getting professional advice from GDPR specialists to ensure that they are in full compliance. The costs can be extremely damaging if you are not compliant and then suffer some sort of data breach – it simply is not worth the risk to your new business. Be sure to work with specialists who have an understanding of your industry and how the GDPR applies to you.