The new data protection law may seem complicated, especially for the small business owner who may not have the staff and resources to tackle every legal aspect. At the most basic level, you need to protect the rights of the people giving you their data.
To be compliant, it's necessary to make sure that customer data is processed legally and collected for specific, explicit, and legitimate purposes. You must also ensure the data is kept secure and erased once it's no longer needed.
Here are 5 steps you can take to get your small business ready for the GDPR:
1. Educate Your Staff
First, make sure that your employees understand what the GDPR is and what obligations they have. Create a list of do's and don’ts, highlight the key aspects, and train your staff. Also, discuss with your suppliers and business partners about their GDPR compliance.
2. Conduct a Data Audit
Next, identify and analyze all data you hold on customers. Make sure you know where it comes from and who you share it with. Ask yourself the following questions:
- What data do I have - does it fall under the GDPR?
- Do I really need this data about a customer? How am I going to use it?
- Is the information accurate and up-to-date?
- How many copies of your documents exist?
- Are my customers aware of how their information is being used?
- Am I satisfied the data is being held securely? Is my website secure?
- Do I have a policy covering data protection?
In case you monitor your staff by checking their browsing habits in the workplace, let them know about it. The GDPR doesn't apply just to customers, but all EU citizens.
Once you answer these questions, create a data policy that explains how your business will collect and use data from now on.
3. Consider Hiring a Data Protection Officer
Depending on the amount and type of data your company holds, it may be necessary to appoint a DPO. His primary role is to monitor compliance with the GDPR. He will train your employees, conduct regular audits, maintain records of all data processing operations, and provide advice on how your data protection efforts can be improved.
However, this may not be necessary for small business. In their case, appointing someone responsible for privacy or a part-time DPO should be enough.
Public authorities, on the other hand, are required to employ a Data Protection Officer. The same goes for any company that processes large amounts of data as well as sensitive datarevealing political opinions, religious beliefs, ethnic origin, and other similar aspects. Organizations can fulfill this position internally or from an external source.
4. Determine How You Will Handle Data Breaches
Security and data breaches must be reported within 72 hours after becoming aware of them. Make sure you have a plan of action in case anything goes wrong.
In 2017, big players like Uber and Equifax had data breaches. Last year, more than 14 million U.S. small businesses have been hacked. Yet, over 90 percent of them don't use any data protection for company and customer information.
Considering these facts, it's crucial to ensure that you're keeping individuals’ data safe. Identify and fix your vulnerabilities, secure your operations, and notify law enforcement if necessary.
5. Implement the New Data Protection Law
Last, implement the GDPR. Let individuals know why you request and process their data, how long it will be stored, and who will receive it. Use plain language to make yourself understood.
Whether you collect customer data for research, marketing purposes, or direct sales, get their clear consent. Update existing consents if they don’t comply with the GDPR.
If your company provides online services to children, implement a system to check their age and obtain parental consent. The new law requires special protection for children’s data.
The GDPR and Your Small Business
There are many other details to consider when implementing a GDPR project. Plus different sectors will be affected in different ways. Grasping the basics is a good starting point. To make sure you comply, appoint a person in charge of data protection and privacy.
Pay special attention to how you're handling data related to individuals’ health, race, religion, political beliefs, and sexual orientation. If you're doing business with countries outside the EU, make legal arrangements for data transfer.
The clock is ticking, so don’t wait until it's too late! Contact us today to get your small business ready for the GDPR! Our team will help you manage customer data in a better way