With the recent changes in GDPR now effective, we know many small businesses are feeling overwhelmed!
Mike Cherry, national chairman of the Federation of Small Businesses (FSB), said that “GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle”. But, compliance doesn’t have to be the bureaucratic nightmare some make it out to be, so we’ve put together a few suggestions to help ease the stress.
Do you need a DPO?
The question on many people’s lips is if they need to hire an individual, a Data Protection Officer that will be solely accountable for monitoring everything data related. As stated on the ICO’s website the GDPR only requires you to appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities – so for those small businesses worried about the cost implications of this, think about whether you actually need a DPO! The ICO has more guidance on whether you need one here.
However, if you decide not to appoint one, the ICO recommends documenting this decision!
Would you leave your doors unlocked?
You’d never leave your house unlocked so why would you leave data lying around for anyone to get their hands on? It’s worth reviewing how your data is stored and whether it’s at rest, in transit or in use. This is where encryption comes in, securing any data in the case it’s ever lost or stolen. Work with your IT supplier to understand if you’re taking the necessary steps. Again, proportionality is key here so the GDPR doesn’t necessarily mean huge outlay on upgrading your IT; it depends on what data you’re processing, and what the risks would be if it fell into the wrong hands!
Know your grounds now
To avoid any tricky questions down the line from data subjects, be sure of what your organisation’s lawful basis for processing data is, whether it’s consent, contract, legal obligation, vital interests, public task or legitimate interests. Which lawful basis you decide to use must be relevant for your purpose and relationship with the individual. Don’t forget it has to be necessary and document everything – transparency is key!
It’s not about the destination it’s about the journey
The ICO recognises that small businesses will continue to identify and deal with privacy and data risk in the future. Like many processes in a small business, it’s a learning curve and it’s bound to come with a few challenges along the way. The important thing is how you deal with potential issues – don’t treat the GDPR as just a tick box exercise which you’ve now completed, it’s an on-going journey and you should be constantly reviewing and reassessing the policies and processes you have in place!
The ICO is not looking to make early examples of micro businesses or sole traders; their priority is businesses that consistently misuse data on purpose. The ICO is there to help you on your compliance journey – they have a helpline for businesses, toolkits of posters and marketing materials you can use around the office for your employees, and a whole host of advice and support online!
So, don’t panic, no one is trying to catch you out with a hefty fine but instead want to guide you in the right direction in protecting personal data. For more information on the ICO’s regulations and guidelines follow this link.