There are some simple steps to help SMEs understand how they need to change in order to comply with new data protection regulations.
The penalties for failing to comply with the General Data Protection Regulation (GDPR) that comes into force on 25 May, 2018, are steep: €20 million or 4 per cent of the offending organisation’s global turnover – whichever is greater. So what can you do to make sure you don’t fall foul of the new rules?
Assess your data
Conduct an information audit. Know exactly where your data is held, who has access to it and who you share it with. What is the procedure if someone asks to have their personal data deleted? How easy is it to find that data, whose job is it and how would you prove you had done it?
One way to start ensuring your data is compliant is to divide it into the following categories:
Colin Tankard, managing director of data-security company Digital Pathways, explains: “Volume is the amount of data, velocity is movement of data – are people constantly touching the CRM (customer relationship management) system and looking at details, for example – variety is how the data is stored, veracity is uncertain data and value is things like credit card data.”
Tankard says: “When we’re talking about being smart, velocity is the important thing to focus on.” He suggests starting a data-discovery process to see which data moves most: “Audit your servers and logs and drill down to that data. Take away any non-PII (personally identifiable information) data and focus on what remains.”
This can be smarter way than working through data department by department.
Firm up your storage
Under GDPR, all stored data should be encrypted wherever possible, while in transit and stationary. This means that storage solutions must be robust, with privacy built in from the very start. Storage must be easily accessible (so your data is portable and removable), in-house but also watertight to intruders.
Classify new data
The next step is to apply a data-classification process to all incoming data. “That way,” says Tankard, “you can see whether documents contain personal data and be forced to deal with them accordingly.”
Educate your staff on the new rules
Ensure data-protection compliance is embedded within the fabric of your organisation and that everyone knows what should be happening with personal data. Training is key, as is continuing support. Run regular data-security tests to check that everyone in the organisation knows what to do in the event of a potential data breach.
Update your contracts
Speak to your digital-marketing suppliers about the steps they are taking to protect your customers and update your contracts with them. As the data processor, you are required to maintain records of personal data and processing activities and are legally liable for a breach. Data controllers must ensure all contracts with processors comply with GDPR.
Firm up the data consent process
Introduce clear data-consent options to consumers for every communication method. At the moment, when you collect personal data you are obliged to offer a privacy notice giving people certain information, such as your identity and how you intend to use their details. Under the GDPR a blanket yes is not enough. Consent requests must be separate from other terms and conditions and granular options should be presented for different types of processing and different channels. This information must be provided in concise, easy-to-understand language.
Under GDPR, you will need to make clear the lawful basis for processing data and how long you keep it. You also need to state that individuals have the right to complain to the Information Commissioner’s Office if they think there is a problem with the way you are handling their data.
Individuals will also have the right to access their personal data and receive confirmation that it is being processed. You will have to provide this information free of charge and within one month of receiving the request. It must be provided in a commonly used electronic format - GDPR advice suggests providing remote access to a secure self-service system if possible.
People can also ask for data to be deleted if it is no longer needed for the purpose for which it was initially gathered, if consent is rescinded, if processing is in breach of GDPR or if the data must be erased to comply with legal obligations.
Appoint a data protection officer/dedicated data specialist
Under GDPR, you must appoint a data protection officer if:
- you are a public authority (apart from courts acting in their judicial capacity)
- you carry out regular and systematic monitoring of individuals on a large scale
- you undertake large-scale processing of special categories of data – such as health records or information about criminal convictions
- The data protection officer can be an existing employee, as long as the new role doesn’t cause a conflict of interest, or an external appointment.
Even if you’re not legally required to appoint a data protection officer, consider hiring a dedicated specialist to cover GDPR responsibilities. Or seek legal advice to be sure your particular model of data sharing is legitimate.
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 13/03/18.