SMEs should start to plan for GDPR - it is important
The new European personal data regulations come into force in 2018 – and SMEs need to start preparing now.
In May 2018, the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
While this new framework comes into place as the UK enters the process of uncoupling from the EU, the Great Repeal Act means it it is likely to be converted into British law.
The DPA dates from the 1990s, and a time when only the largest companies had the means to collect and store significant amounts of data.
In the intervening years, the ease and sophistication of data collection means that thousands of SMEs not only collect personal details, but store, move and access them online. Personal data is used in everything from sales to customer relationship management to marketing.
Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.
In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
Under the regulations, companies must keep a record of how and when an individual gives consent to store and use their personal data
These new conditions alone – and there are many more – show just how demanding the new regulations will be for companies of all sizes. GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. Monitoring protocols must be able to recognise and act on breaches as soon as they happen, and an incident recovery plan put in place to deal with the repercussions.
Preparing for all this will require a full information audit and, for many companies, a change in culture, which SMEs should start to plan and implement well in advance of the 2018 deadline. Personal data is a key tool for SMEs looking to target and retain customers: GDPR means it must be handled with the utmost care.