GDPR – Act now!

Business owners have been aware of the new GDPR privacy legislation for many months now. But for some companies, the ‘ostrich approach’ has prevailed, namely – stick your head in the sand and hope it goes away.

But far from disappearing, the 25th May deadline is fast approaching. So what do the regulations really mean? GDPR stands for General Data Protection Regulation – an EU measure that sets out stricter rules for hosting and processing personal data. Ultimately, these rules will give individuals greater control over the personal data that companies and organisations hold about them.

The implications for business are wide-ranging. Put simply, companies must establish explicit consent from consumers before collecting and storing their data. Failure to comply with GDPR will result in fines of up to 4% of global annual turnover (yes, that’s turnover, not profit).

If your business is just beginning to turn its full attention to this issue, here are five key considerations you need to take into account . . .

1. Tell your staff
It’s no good trying to implement GDPR if the majority of your workforce don’t know or understand the new rules, or the implications of not adhering to them. Invest in a training session for your staff from a GDPR specialist who will be able to clearly outline the key areas that are most pertinent to your line of business.

2. Identify your data
GDPR will regulate any personal data you hold and process for an individual including names, addresses, emails, telephone numbers, bank details and other personal, identifiable information. Personal data can be classed as two types. Either ‘structured’ ¬- for example, data which is held in an organised operating system such as a database – or ‘unstructured’ data, such as emails, spreadsheets and other digital or hard copy documents. Any personal data in a company’s possession before GDPR comes into force will still need to abide by the new regulations. This means it’s important to identify as early as possible what personal data you possess and the format it is in so you can ensure the applicable rules are being followed. For companies that keep large quantities of data, particularly the unstructured variety, it may be beneficial for them to consult a professional IT service provider to help identify and extract any relevant information quickly and efficiently.

3. Ensure your data storage is ironclad
Protecting personal data is a key part of the GDPR regulations so how it is hosted and accessed should be top of the priority list. Copies getting into the wrong hands, lost documents and human error can all contribute to a breach in the new regulations and potentially result in a hefty fine. Limiting hard copies and knowing where electronic data is stored, who can access it, and how, will save numerous headaches. Data security and privacy are paramount, so ensure your cybersecurity software is fully up to date. It’s worth following the National Cyber Security Centre’s advice and becoming Cyber Essentials certified for additional peace of mind.

4. Update your privacy policy
Get to grips with your company’s privacy policy for processing personal data and make sure it is updated with any relevant changes. A privacy notice, which outlines the main points that link back to your full privacy policy, will help to keep things clear and concise and can be used in email footers, and displayed on your website.

5. Don’t panic
Remember, as long as you do everything possible to abide by the new regulations and are able to fully demonstrate you are using best practice policy to mitigate data breaches and loss there should be no serious causes for concern. But don’t delay the inevitable. The sooner you get started, the better prepared you will be, and the less likelihood of slip-ups and problems further down the line.

Here at Fitzrovia IT, our experts will be happy to advise on technology solutions for GDPR, including helping you to become Cyber Essentials certified. Contact us today to arrange a consultation when we can discuss the way you record and store client information.