The New GDPR Regulations – Episode 2
Following on from Episode 1 (predictably!) this second episode gives you more practical suggestions on what you need to look at within your business to make sure you’re complying with the regulations in good time.
Hi, and welcome to another episode of BaranovTV, designed to demystify the world of accounts and tax and to help your business grow.
Now this episode is actually the second in a series around GDPR, which are the General Data Protection Regulations, which come into implementation on the 25th of May 2018. They are going to have a significant impact on small businesses.
We all hold an awful lot of data, and it is the processing of that personal data that these regulations are going to govern. Now the rules as they stand are still being refined, so they’re still shifting, they’re still developing. I would recommend, as I did in the first episode, that you do have a good read through all of the guidance and information on the ICO’s website, which is www.ico.gov.uk. Do keep going back to that and making sure that you’re looking at the most up-to-date information.
In the first episode, we covered the introduction to GDPR and the basic information, the key factors to think about, and the six lawful reasons for processing individuals’ personal data. Hopefully you’ve gone away, and you’ve had a good look at the ICO website, and you’ve identified which of those bases you actually need to operate on. It could be more than one, but if you know that, then you need now to consider what’s next, and we would recommend you do an audit of the data that you hold. So that’s going to be going through and looking at the various types of data and actually asking quite a lot of questions of that data and of your processes.
I’m going back to my notes! Again, there’s a lot of information I need to cover off with you, so please excuse me looking away at the notes, we just don’t want to miss anything out.
The first step that you need to do is register with the ICO. You’ve got to register under the new regulations even if you were registered under the old data protection regulations, you must take out the new registration.
It’s also useful to register for their e-news, as these rules become more refined, they’re actually going to be announcing some, from what I can gather, some sample clauses to put into policy agreements, and that sort of thing. So it’s going to be really good to register for their e-news letter, I would suggest.
You could also access their checklists, which will be a huge help, to make sure that you’re going through this process properly, in advance of the 25th of May. So when you’re doing your review of your personal data, what do you need to look at? Well to start off with, look at the personal data that you’re currently holding, and where does that come from? It could be around prospective customers, existing customers, networking contacts, historic customers, suppliers, both current and historic, and of course, staff. If you have any staff within the business, you are holding their personal data. So even if you don’t keep any data at all about customers, and you have staff, you must take on board everything to do with GDPR, and make sure that you’re deploying that properly within the business.
So how did you obtain the data, was that actually provided by your contact?
Or was that gathered, so for example, did you go to a networking meeting and collect a lot of business cards?
Depending on the source of the data would depend on how you need to deal with it going forwards.
How long have you held the data? Unless you’ve got a legitimate reason, as I mentioned in the first episode, to retain it, should you have deleted it by now? And if you don’t need to keep it, get rid. If you don’t need to keep it, don’t keep it because the more you have, the more you have to deal with.
Who do you share that data with, if anybody? Do you pass that data on to suppliers? Do you work closely with partners within your business? Are they having access to your data? If so, you need to take that into account.
How is your data stored? A lot of us now are storing data electronically, but there are still businesses operating on paper records, on notes, and on filing cabinets, and that would need a different policy for you, internally under GDPR, then it would if you’re holding electronic records.
How secure is your data? Are your filing cabinets locked? Are they in a public place? If you use electronic records how do your software updates get there? What’s the security of your system? What passwords do you have, and how often are those changed? And how do you ensure that those passwords are absolutely secure?
Is your website dealing with data appropriately? If not, and if you’re not sure, you need to speak to your web developer, and make sure that they’ve got everything in place. Technically, that data is being processed on the website if you have various lead bait or if you’ve got an e-commerce site, so those are all things to consider. If your data is in the cloud, there are implications around where that data is stored. If you’re using software that’s American, where is that data being stored? By now, that data should be being stored within the EU, there should be an option to do that, but if not, if it’s being stored outside the EU, then that’s another consideration.
Do you need to keep all the data you currently have? If not, as I mentioned before, have a really good clean up because if you don’t need it, you don’t need to worry about it any longer.
Make sure that your existing consents for all clients or for customers meet the GDPR standards. So historically, we were able to email somebody and say, I used to see it at the bottom of opt-in emails, in the center of the email forms, you’d give your email address and you’d say, “Click or tick here if you’re happy to receive further marketing information.” Or, “Untick this box if you don’t want to receive it.” You can’t do that any longer, and you’ll have seen that there is actually a double opt-in on most email marketing campaigns now, where if you are enrolling yourself and joining somebody’s email database, you’ll get an email confirmation, which you have to then go and accept before you can actually get on to their newsletter. That is all starting to be around GDPR.
Make sure that you have the processes in place to detect, report, and investigate any breach of data. If you go through all of those stages, and I know there’s a lot of them, there’s 11 there.
If you go through those, you’ll end up in a position where you are able to document your stance around your personal data. You should be able to say, in documentary proof, where the data that you hold, where that’s held, who has access, how is it processed, and what are your data protection responsibilities and process within your business. If you can do all of that, you are in a really good position for the 25th of May.
But time is ticking by, and you really do need to crack on with that. It’s not something most businesses have done in the past. Certainly, we are really hard on our data and always have been, and the security of that data, but we are needing to make quite considerable changes, so if we are, then a lot of other businesses are going to be.
This is why we’ve done these episodes of BaranovTV, to make sure we’re getting the message out there. Please don’t ignore the fact that these regulations are coming. We don’t know whether there’s going to be any kind of period of grace, it’s highly unlikely, so there is a risk from the 25th of May, on processing of personal data. As I’ve mentioned before, the rules are still being refined, so the ICO website is a really good place to hang out, and have a really good nose around and become familiar with, but also, do speak to a solicitor.
Make sure that your privacy policies and the way that you’re dealing with data is actually in accordance with the GDPR regulations because it will serve you in really good stead.
Finally, please do use these episodes as they’re intended. They are really just thought starters, and a way for us to highlight that this is something that you really do need to be aware of, and that there are risks around. Don’t take them as gospel, please do go away and do your own research, because your own business will be susceptible in different ways to ours and to others on our client base.
Any problems, as ever, do get in touch and we’ll give you the best advice that we can. Otherwise, we’ll speak to you very soon.