Is your business ready for GDPR?

This 500-word article was written for Axa Business Insurance's Guardian Angel audience. I had a lot of fun researching this topic, not only because I was part of a security and information assurance community of practice, but because the Guardian Angel section itself has such a lot of informative articles for small business owners. I wanted this article to convey a 'don't panic' response for business owners who may have waited until the last moment to look into GDPR.

Photo by James Sutton @ Unsplash

The EU’s General Data Protection Regulation (GDPR) is coming on 25 May 2018. Are you prepared?

If you don’t know what GDPR is, you’re not alone. 72% of British adults aren’t sure what it is either. But, as a business owner, you’ll need to know what GDPR is and how to comply. Fines for non-compliance can be hefty.

What is GDPR?

Simply put, GDPR concerns personal data and how companies gather, store, and use it. Done well, customers will trust you with their private data because they’ll know it’s in safe hands.

How do you know if GDPR applies to you?

GDPR is not just for mammoth organisations with thousands of employees and customers. If you provide a service to anyone in the EU or UK, chances are, GDPR affects you.

Do you hold data that can, along with other information, identify a person? Like customer email addresses and names? GDPR applies.

Does your business have employees? GDPR protects their data too.

What can you do right now?

While there is a wealth of GDPR guidance, it can be overwhelming at first. So let’s break it down into common-sense actions you can take right now.

Tell everyone

It’s easier to protect data if everyone is aware it, so let your employees know about GDPR.

Create a data inventory

This is essential. List the data you hold, where it came from, where it’s saved it, who can access it, and what you do with it. It’s hard to be compliant if you don’t know what you have.

Take care of the data

What measures are in place to keep the data you hold safe? It’s a good time to revisit them. Businesses need to report any loss or breach of personal data within 72 hours.

Write a clear privacy policy

Be transparent with customers and employees. In laymen’s terms, let people know what information you’re collecting, how you’ll use it, and who you might share it with.

Don’t hold data you don’t need

Have you ever asked for information you intended to use someday for something? You must have a legitimate business reason for holding it.

Get consent

Clearly tell people what they are consenting to. You may need to ask existing customers if you’re still allowed to keep their data.

Avoid shady tricks like ticked checkboxes for automatic opt-ins. And make it easy for people to opt out.

Build processes for finding and deleting data

Anyone can now ask to see what data you hold on them or request removal. You have one month to do this, so make sure it’s easy to do. There are exceptions if you are legally obliged to hold onto it.

Where do you put your trust?

Becoming GDPR compliant might be complicated. Protecting your business isn’t. Keep it simple with data protection cover from AXA.

Find out more about our professional indemnity insurance

%d bloggers like this: