GDPR: Begin your preparation now

Read Time: Approx 1 minute 40 seconds

You may be aware of the changes to be made to the rules of the General Data Protection Regulations (GDPR) that will come into effect in May 2018. 

It’s highly recommended that SMEs start preparing for those changes now.

My article aims to help you in readiness for the changes, and highlight the key areas that you may want to focus on.

The time to begin your preparation is NOW!

May next year will see the traditional Data Protection Act (DPA) replaced by a new framework, called the General Data Protection Regulation (GDPR).

The new framework has a greater significance than the replaced DPA rules, and offers tougher punishments for those businesses who fail to comply with the new rules. These new rules specifically target businesses and looks at how organisations store, manage and handle personal data. Personal data is a critical piece of intelligence, and used right the way across your IT, HR, Marketing and Finance teams.

Influences such as culture, technology and mobility has changed how we consume data.

We crave the latest information and want access to that detail instantly. We want real time access to data on any device, anytime anywhere. These changes have shaped the way we work, and the ease of how businesses collect, store and move personal data across the organisation.

It is worth noting that despite the UK beginning the early stages of leaving the EU, this GDPR guidelines are expected to fall under British Law, so this is still applicable to UK SMEs

Are you secure?

Of course, this is also an opportunity for cybercriminals. It’s widely reported that UK businesses lost over £1bn to cybercrime in 2016. On average, a breach on your network can go 229 days undetected. Information such as birthdates, names and addresses is an example of personal data that holds high currency to the cybercriminals. Under GDPR, it is your duty to ensure this information is kept secure – and ignorance will not be tolerated if SMEs fail to comply.

 What does GDPR mean for SMEs?

There are 160 points covered in the new guidelines. Some are carried over from the former DPA rules & others are new and more granular. I would urge you act now and give priority considerations to the following guidelines that sit under this new framework:

• Companies must keep thorough records of how and when an individual gives consent to store and use their personal data. Not in the form of a tick-box, but a very transparent audit of consent.
• Companies need to document what information is held, evidence where it came from and who it has been shared with. If you have inaccurate data and have shared that with another organisation, it is your responsibility to pass that message on so accurate updates can be made.
• GDPR is big on individuals rights. You should check that your processes are in line for how you might delete personal data, or provide data. There are several ‘rights’ that the GDPR considers – the right to be informed, to access, to rectification. The rights to erasure, to restrict processing, portability, or to object. Also the right to not be subject to an automated decision (including profiling)
• Companies will need to give consent in the new GDPR standard. Review how you record, find and manage consent and if you need to make any changes.
• Companies must have the right protection in place to detect, report and investigate a personal data breach.
• Companies should delegate a Data Protection Officer, and that role will be the person responsible for the compliance. You NEED to appoint a Data Protection Officer If you are a public authority company, a company that regularly carries out monitoring of individuals, or a company that processes ‘special’ categories of data (i.e. Health Records)

These new conditions alone – and there are many more – show just how demanding the new regulations will be for companies of all sizes. GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. Personal data is a key tool for SMEs looking to target and retain customers: GDPR means it must be handled with the utmost care.

Make sure that decision makers within your organisation are aware that the law is changing, it’s inevitable that this will cause some business impact and areas of the business will need to look at how they comply to GDPR. The changes you may need to put in place may also have resource implications, don’t leave it until last minute!

How can I help?

I work for O2 within our Digital Solutions team. We speak regularly to UK businesses about readiness for GDPR. We offer a number of solutions across a broad-ranging portfolio that can help you in your GDPR compliance, regardless of your size organisation. If you’d like to discuss this article or our solutions in more detail, I would welcome your feedback. Please get in touch.

Follow me @Martyn_GillO2