Is your organisation ready for GDPR? Top Tips for Small Businesses
What is GDPR?
GDPR – the big buzz word of 2018 and the elephant in the meeting room. If you’ve been avoiding the subject (or perhaps haven’t even heard of it at all!), now is the time to take notes. GDPR or the General Data Protection Regulation has been introduced by the EU and has an approaching deadline of 25th May 2018 to ensure your business is compliant.
Designed to replace the Data Protection Act 1998, the new regulation has a broad spectrum approach towards the handling of personally identifiable data and sensitive information. This applies to small businesses right through to global organisations (and everything in-between).
Unlike the more recent EU Cookie Law, GDPR is tipped to be heavily monitored and the EU has the power to bite. Businesses can expect to receive fines of up to 4% of gross annual turnover or €20 million, whichever is higher for failing to comply.
Why has it been introduced?
Essentially, it has been designed to bring data processing to the forefront of everyone’s mind. Money may make the world go round, but technology, connectivity and software are the driving force behind it. The ever increasing push towards making every area of our lives digital doesn’t come without consequence. The purpose of GDPR is to put the individual in control of the information which a company holds on them and to ensure that any information an organisation does hold is for legitimate, authorise use and details on how it is held – something which the Data Protection lacked.
What do I need to do to comply? The Three C’s
This will vary from business to business, but as a general rule for businesses, the “Three C’s” should be considered:
- Consent – ensure you have the individual’s permission to hold their information.
- Control – make sure that you’re holding the information securely, lawfully and necessarily.
- Clear – Individuals have the right to be forgotten, you must be able to remove any personally identifiable information on request.
How is my website and hosting affected?
Your web design and hosting company are both data processors and controllers. With the introduction of GDPR, processors can now be held far more liable for a data breach. There are some simple steps below to ensure that your website is compliant and also your hosting company who holds the data is too:
Paramount to safely controlling data, make sure that your website is encrypted with an SSL Certificate (green padlock in the address bar), passwords are considered strong and that they are held securely (ie. not in emails!) We’d recommend LastPass, it’s a free tool to manage your passwords through your browser and mobile devices.
If you have a contact form, request a call back etc, then this data is being processed and later controlled. Many popular form tools on platforms such as WordPress will store the submissions in a database or send an email notification. It is important that this information is only held for as long as necessary. Ask your web designer or hosting company about setting up an auto-erase facility on old form submissions after X number of days. Notifications being sent through via email? These need to be controlled too.
Transfer of Information
Opt-in to Communication
Do you collect names and email addresses to send newsletters or marketing emails? If so, then an individual submitting a contact form, even with a pre-ticked box to opt-in to your newsletter is not enough. There must be express consent and it is advised that all of your forms have a tick box to opt in which the user actively has to tick. After all, you have to be able to prove that they have consented. Already have a large list of newsletter subscribers? We’d recommend asking them to expressly opt in again if they haven’t already. You may lose a large number of subscribers, but the quality of your remaining subscribers will be really high!
Right to be Forgotten
So you hold various records about an individual, let’s say he or she has requested that any information you hold on them is removed. Under the new GDPR rules, you must oblige fully. This includes removing contact details, communication records, tracking information etc.
What is my web design agency’s responsibility?
As a data processor, your web design company has a responsibility to ensure that your organisation’s data is handled properly and lawfully. You should approach your web design team to ensure that your website is compliant and that they are taking necessary steps to ensure that both your data and your customer data is kept securely, to a minimum wherever possible and it is secure. It’s a big red flag if your web design agency is not aware of GDPR as they should be working with you to ensure you are compliant.
At Create Designs, we are taking an active approach to assisting our clients with GDPR. We can offer an audit of your current practises and advise on the best way to approach the handling of data within your business.
If you have any questions or you’re unsure if your business is compliant, please get in touch on 01252 759340 and speak to a member of our team about how we can help.