What is GDPR and how does it affect UK businesses?
GDPR – General Data Protection Regulation
As a marketing company that specialises in direct marketing and database management we know how important managing your data is, whether you are a small business or a large organisation.
So with the new GDPR regulations coming in, what does it mean, and how can you be GDPR ready ?
Here are the headlines explained in 90 seconds…
Here’s some more detail and some advice on what you can action today:
What is GDPR?
It’s a new set of European Regulations being made law that extends the current laws relating to any processing of data of European citizens wherever they reside in the world.
Data subjects have Rights
Data subjects have similar but ENHANCED rights compared to the DPA as follows.
- The right to request all data you hold on them
- The right to have data amended
- The right to be forgotten – i.e to have data deleted
- The right to prevent direct marketing and to prevent automated decision-making and profiling
- The right to move their data.
How does it affect business owners?
Business owners that collect personal information and store or process it on behalf of European citizens must abide by the new laws from May 25th 2018 or face potential fines where non compliance or data breaches occur.
Brexit makes no difference to business responsibilities…
Businesses must take notice – Brexit makes no difference. UK citizens fall directly under the regulations and even after Brexit UK Data protection or Privacy legislation will likely follow the same route.
If you have European employees, staff, patients, students, or customers then regardless of Brexit be compliant.
DPA compliance only? its a start but falls short!
If your business currently complies with the DPA then it’s a good start but does not ensure or prove GDPR compliance.
What should businesses do?
Businesses need to become and maintain GDPR compliance or at least take appropriate action to ensure your business data processes and privacy meet the GDPR regulations and you have documentation to help prove it.
Above all make sure all your systems and business processes have adequate data protection – this is termed privacy by design.
6 Steps to take towards general GDPR compliance…
- Discover – Map all your data storage and flows to gain a business wide picture in every department.
- Document – compliance and your legal basis for processing the data you hold
- Manage Compliance -Adjust or develop processes to meet the rights of individuals where they want to request data, delete data or amend data within your business
- Protect – Improve overall data security in websites, systems, offices, staff activity and documentation
- Manage Risk – Adjust or develop procedures to report and track data breaches within the GDPR time limits
- Training – Make Data Privacy a business wide agenda and appoint where required a DPO or Privacy individual to champion adoption and implement staff privacy training.
Is your Website GDPR ready?
10 Steps to protect user data on your website
(note that this should be part of overall GDPR preparation)
- Change passwords regularly
- Use strong passwords and keep them safe
- Fix Forms – Make forms GDPR compliant with clear and Granular Privacy Disclosure and improved validation.
- Privacy Notice – ensure a compliant privacy notice is accessible from all customer touch points and clearly outlines what and why you collect data and how subjects can request, change or delete their data with your business. This should also include 3rd party information e.g. where you pass data to other systems for processing i.e. Mailchimp or Cloud CRMs. Link to the 3rd party privacy policies
- Cookie Control – state clearly all cookies that your website uses and why. Offer clients the choice to opt out of cookies. This also includes all 3rd party cookies.
- Security Certificates – Install SSL encryption across your website to help protect form data entered.
- Updated CMS software – keep all CMS software updated to latest security releases including extensions, plugins or themes
- Scan websites regularly for malware and investigate email bouncebacks.
- Ensure all devices used to access website admin areas or files are kept updated with latest system upgrades and have virus and malware protection.
- Map the data flows from and to the website and document compliance.
So now you know the basics of what GDPR is and what you need to get in place to be ready.
If the next steps are to source support to implement changes to your business website then we are offering the following services:
- Data Flow Mapping
- Cookie Audits & Cookie Control Installation
- Form Fixes
- Privacy Notice Audits & Text Updates
- SSL Installation
- Software Updates And Upgrades
- Website Firewall Installation
- Subject Request Programming
If you need your entire business reviewed then we can help with that too.
Contact us for a free, no obligation chat.
Disclaimer: The information in this article/video is for your general guidance only and is not and shall not constitute legal advice. If you need legal advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice from your solicitor.