01 Mar 2. GDPR
May 25 2018 is a date so etched in my mind and it should be in yours.
If you run your own business or work with any kind of data; this is the day the whole world changes in relation to GDPR (General Data Protection Regulation). That includes every business and organisation in the country from the big corporate to the tiny sole trader working from a spare room, it affects us all.
The headlining fines are deliberately scary, a deterrent and for most businesses will just obliterate them from existence. £20,000,000 or if you have substantial income 4% of your global turnover whichever is the larger. These are the maximums, but can your company carry that kind of fine?
This GDPR tsunami will arrive at the door, as usual in a torrent of big names being fined not least as a wake-up call to others. Smaller business will be left quaking in the board rooms wondering if they can sustain this punishment. Ignorance will not be a permissible plea as they have been talking about this for several years now and Brexit will not affect it at all, so we cannot use that as an excuse. We will wake on the 25th May and it will be here, flooding our offices, our filling cabinets and our documentation.
So; what is this new regulation?
What we have discovered is that there is no ‘one size fits all’. Each business needs to look at its own unique situation. What data the company holds and how it is stored and most importantly how it is used.
At least two roles for each business will need to be designated responsible for data and the relationship and legal contracts they have between each will be paramount for compliance purposes. One will be the Controller; the person who holds responsibility to apply compliance of data usage. From May the other person responsible will be the Processor; the person who actually handles the data and stores it for any kind of use; that includes third party holders of information, such as digital marketing companies or web hosting companies.
What of the data, we store data all the time to market our goods or services, client invoicing details, posting address, email acknowledgement. This is data that relates not to our products but to our clients, to our employees, to any person on which we hold information. The data we are talking about is personal data, that which relates to or identifies a person. It can include genetic, biometric, political, religious, sexual orientation as well as the straightforward name address and age. A wide scope really.
What should we do about this?
You need to check your data handling systems, your databases, what information do they hold and what do you need to keep. What permissions do you now need, to hold this information, how can you use it and what must you destroy. Whatever business you are in from the smallest sole trader to the biggest conglomerate you hold data and you need to be alert and taking action.
As a Chamber we are all affected by this and we can only bring it to your attention and point you in the direction, we cannot give you the specific advice that you require. We mention below steps for you to consider in respect of your business.
- Be Aware; at every level of employment within your organisation, it affects every employee. The law and hence your procedures will need changing
- Document your data; what do you hold, where do you store it, how do you share it? For example do your staff use it on unsecured personal phones, I Pads, laptops. Is it locked in a secure place? But who holds the keys and where do they keep the spare? It is not just client information that is covered by data. Do you hold HR records for your staff. You still have to hold this information, but you must have it documented.
- Communication; do you have a policy of telling people what you hold and what it will be used for and who will use it?
- Access; what policy do you have for staff or clients to access the information, under the Freedom of Information Act, you hold on them. What information can you delete securely and what must you keep under HMRC or Pension Regulator rules, even if you are requested to remove it.
- Consent; do you have consent to use the information. Historic permissions may be adequate, but should you check with all your contacts that they are happy to remain on your list from May.
- Children; this is a wide area and if you deal with children it may be sensible to look at this as a whole topic in its entirety. Can you verify child ages if you are age appropriate? Can your information identify a child? Do you have or need parental or guardian consent?
- Data Breeches: this may well be the crux of the matter if it comes to fining you. What processes do you have to stop the breech but more importantly what is your policy for informing and reporting the data breech?
- Data Protection Officer; do you have a person responsible for data protection compliance within your organisation? It is possible to outsource this role and for a small company may be an easier and safer option than running it yourself.
If you are unsure of anything call in an expert. There are many companies who have jumped on this particular ‘bandwagon’ and can advise you, but they are busy. They can help with data audits or advise you on your company’s individual needs.
Gillingham Chamber of Commerce and Industry AGM will be held on April 17th at Gillingham Town Hall 7.30pm. Come along and vote in our new chairman, hear how we have done over the last year. Be Part of Your Chamber.
please email firstname.lastname@example.org if you wish to attend