GDPR: What is it and where to start?

There are just over two months to go until the new General Data Protection Regulation, or GDPR comes into force. On the 25th of May this year, the GDPR will replace the 1995 Data Protection Directive with the aim of harmonising data privacy laws throughout the EU and granting greater protection and security over personal data in our now digitised world. Businesses that are not compliant with the new legislation when it comes into force will risk incurring a fine of up to £20,000, and while it is tempting to think that Brexit could be a get out clause, the UK has already pledged to implement GDPR regardless. 

With a lengthy official document looking at just what the new legislation covers, making sure that your business is compliant can seem a daunting task. Luckily, there are many ways to break down what needs to be done and how, and many organisations that can help with these tasks, including ourselves. The first task that needs to be done is to work out whether your business is a ‘data controller’ or ‘data processor’. A data controller determines the purposes and means of processing personal data, whereas a data processor is responsible for processing this data. Both data controllers and data processors will need to be able to demonstrate that they comply with GDPR; in the case of the processor that they maintain records of personal data and log processing activities, in the case of the controller, that they have a contract with a processor that is GDPR compliant. If you’re not sure whether your company is a data controller, data processor or both, ICO (the Information Commissioner’s Office) has developed online checklists to assist businesses which are worth looking at. 

Once you have established whether your business is a data controller, data processor, or both, developing and using a checklist to see what needs to be adjusted within your business to ensure compliance is a must. Personal data is an essential tool for many SMEs looking to grow their business but the new GDPR means that personal data can now only be collected on a lawful basis with proven consent. A great place to start when assessing your business for GDPR is to look at what data you already hold and ask yourself the following questions: is the data necessary (e.g. for a business contract), was the data collected through positive consent (a tick box is no longer appropriate) and can the data be permanently deleted under the ‘right to be forgotten’ clause? If there is a no to any of these, then adjusting your businesses practices to make sure these areas are covered is essential. 

Another important aspect that GDPR was developed to encompass is that of the security of the personal data collected. Implementing the steps that we mentioned previously is crucial when it comes to personal data, however, a business also needs to make sure that all personal data collected through a website is encrypted. This may sound complex, but in reality, it just means checking to see whether your website has an SSL certificate fitted. To check, load your website up and check if there is a padlock in front of your URL. If so, your website has an SSL certificate, if not, your web support team will be able to add one swiftly and easily and you can rest assured that any necessary personal data collected through positive consent on your website is done so securely.

With data breaches of large multinationals making headlines on a seemingly regular basis, ensuring the security of the data that you hold has never been more important and is another area that may need adjustments to ensure it is compliant with the new GDPR. If your business stores data in-house, reviewing and limiting who has access to what data along with developed a detailed plan for the deletion of any data will help your business achieve compliance. If you use a third party to store data, such as Salesforce or Dropbox, you need to check and verify their procedures for data storage as your business is ultimately the data owner. A Data Privacy Impact Assessment can be very helpful in this instance. 

Making sure that your business is GDPR ready on the 25th May 2018 can seem a daunting task. We hope our blog post has given you some ideas on where to start, we are also available to help business become GDPR compliant, just get in touch via email@smithbutler.co.uk or give us a call on 01274 588115.