It’s now less than four months until the introduction of GDPR, the new legislation that will radically change the way that organisations use (and store) personal data. With stats out recently revealing that two-thirds of start ups aren’t prepared, and the GDPR document itself numbering 11 chapters and 99 articles (you can find it here if you fancy some reading!) getting ready for GDPR can be a daunting task for small businesses in the UK. So how can you structure it so that the task ahead looks achievable rather than gargantuan? We thought we’d take a look.
If your business has a website (and if not, why not) this is often the best place to start. Looking at how your website collects and stores data will help your business in their quest to become compliant. If you are currently collecting email addresses for your mailing list through your website, you now need to have proven consent processes in place, which also needs to include verified consent for any under 18’s. Simply taking an email address from an enquiry and adding to your mailing list is no longer appropriate.
Once you have implemented the proven consent forms, you need to make sure that any data collected through your site is encrypted. Encrypting your website basically makes it near impossible for data to be accessed and can be done by fitting an SSL certificate to your site. When installed, the SSL Certificate will activate a padlock symbol and the https protocol, which in turn enables a secure connection from browser to web server. If you’re not sure if your website has an SSL certificate, check to see if there is a padlock symbol in front of the URL. If not, speak to your web developer and get this added. And if GDPR isn’t reason enough to add an SSL certificate, fitting one will increase your website’s speed, performance and SEO.
The third, but by no means any less important, is how you store the data that you have collected with the previously discussed level of consent and security. As the ultimate owner of any data collected by your company, the responsibility for compliance lies with you so if you use a third party for storage, such as Dropbox or Salesforce, you need to separately verify their procedure for processing data with each third party concerned. If you store personal data in house, reviewing which staff member has access to what data, revoking permission if necessary, along with writing and implementing a strict procedure for the secure deletion of personal details under the ‘right to be forgotten’ article, will help your business become fully compliant. Conducting a data privacy impact assessment, (DPIA) will help you work out where your business’s shortcomings are and confirm the processes for any third parties used.