What is all the fuss about?
The GDPR first step is awareness. Are you aware of GDPR? If not, it would seem you are in good company. A previous blog post paints a clearer picture.
GDPR is essentially an extension to the Data Protection Act, if differs in it’s jurisdiction. The Data Protection Act of 1998 is UK law, the GDPR is a EU-Regulation. An EU regulation has a legal basis across the whole EU. To be able to do business within the EU, you will need to comply with this regulation. The regulation essentially updates current data protection laws for the new digital age.
What do I have to do?
You will see a lot of companies and people offering you advice. Some of this advice is freely available. Invariably, there will be a lot of companies and people wanting to sell you that advice. What works best for you, only you can determine. Most importantly it is your business. You are the key stakeholder here!
With that in mind, my first suggestion would be to read and review the advice from the Information Commissioner’s Office. On their website there is a wealth of material available to assist you with GDPR. The ICO is responsible in the UK for ensuring compliance with the GDPR standard. As such, they have been tasked with providing businesses with appropriate advice and guidelines.
There is still a need for you to put in some work; nothing new there. You can pay for someone else to do the work for you. Ultimately, it will still be down to you. If your business is in breach of GDPR, it will be your business that will be subject to potential penalties.
GDPR from an Eagle’s Standpoint
The IAPP offer a good overview of GDPR with a a free PDF for you to download.
Taking a steer from their excellent advice, for small business the areas to focus on are as follows:
- Implement “Privacy by Design”
- Ensure there is appropriate data security
- Keep records of all your processing of personal information including consent records
- Obtain consent for your data collection
- If you use 3rd parties, you need to take responsibility for the security and processing activities of those 3rd parties
- Ensure you are collecting personal data lawfully and fairly
- Undertake a Data Protection Impact Assessment whenever implementing new processing activity
- If collecting consent for children under 13 years old, collect the consent from the parent
- When asked, be in a position to demonstrate compliance
- Notify agencies and impacted individuals of data breaches – only applicable in certain circumstances
Other areas to focus on. Some of which will not be applicable to all small businesses:
- Appoint a Data Protection Officer – only required for certain data processing activity
- Ensure safeguards in place for cross-border data transfers – only required if data is being transferred
- Provide appropriate training to staff – this will depend on staff access to data
It all seems so simple, does it not? That is just part of the story. The new regulation brings with it new rights for individuals, as well as new powers and penalties for the regulator.