The big picture
I’m a big believer in getting the general principles – the bigger picture – clear from the outset. So, let’s have a crack at that:
Data is now a commodity, and a valuable one at that. Data about our web browsing history and online shopping habits are used to market products to us. We use our private data as a means of identifying and authenticating ourselves. And, our social data can even be used (allegedly) to influence who’s elected as leader of the free world.
As a result, our data – along with who has access to it, and what they’re permitted to do with it – is an extremely hot topic.
Granted, most of us aren’t dealing with data on a scale that could possibly influence whether Kim Kardashian becomes the next US President – but the effects of a general tightening of controls over how data is used is most definitely trickling down to even the smallest businesses.
What are the new regulations trying to achieve?
The EU’s General Data Protection Regulation, or GDPR, comes into force on 25th May 2018 – and essentially, the regulation is attempting to give individuals far greater control over their personal data. It reaffirms that the protection of individuals in relation to their personal data is a fundamental right to which we are all entitled.
At a high level, the GDPR aims to protect this right in a number of ways:
- By forcing businesses to be open about when they collect personal data, and how they propose to use it – so that we have a meaningful choice about whether to release our data to them or not;
- By encouraging businesses to keep the data they do collect secure;
- By giving us a range of rights in relation to the data that is held;
- By allowing the application of eye-watering financial penalties for serious non-compliance.
More specifically, the regulations are there to reinforce the importance of treating personal data with respect and value, and in a way that is compatible with our own individual basic rights of privacy.
They require people and organisations who collect and process this personal data to:
- Take all reasonable, proportionate efforts to protect that data, and control who has access to it;
- Be open and honest about what data they’re collecting, why, and setting limits on how they are going to use it up front;
- Make sure that the information is accurate, and only hold the information for as long as there is a justifiable reason to do so;
- Take responsibility for the personal data, and treat it like the valuable commodity that it is.
So, from the perspective of our own individual rights to privacy, most people would agree that the principles behind the regulations are pretty sound.
Glass half full?
It’s probably best to look at this as an opportunity rather than a problem.
Yes, the GDPR imposes rules, obligations and (potentially) penalties – but the principles that it seeks to enforce are sound. If we commit a little time and effort to understanding the regulations, then we will undoubtedly end up running more efficient, credible and reliable businesses.
Customers love that.
So what does it mean for my business?
I guess it depends on your current approach to data privacy. If you’ve never actively given it any thought, you’re going to need to now. This doesn’t need to be hard, but it does need to be well thought through.
If, on the other hand, you’ve worked in the past to ensure that you’re compliant with the rules of the Data Protection Act and other privacy directives, then this shouldn’t be a big deal. The general goal posts haven’t moved that much.
In my opinion, one of the biggest issues with the previous legislation was that most small businesses didn’t take it seriously, and in for the most part, that didn’t make any difference – I don’t know, or know of, any small business that has been penalised for mishandling customer data. But I know of plenty that, in reality, do exactly that.
So perhaps the biggest, and most beneficial change to make is one of mindset. Treat the GDPR like a box-ticking exercise, and it will probably feel like a burden. Treat it like an opportunity to run a better business, then everyone’s a winner.
Ok, fine. But specifically, what do I need to do?
You need to think about all of the ways that you collect ‘personal data’ in your business, and ask yourself the following questions:
- Why do we collect this?
- How do we store it?
- Is it secure?
- What do we do with it?
- How long do we keep it?
- Who has access it?
- Why is it ok to store and process this data?
When you can answer those questions, you’re well on your way to understanding what, if anything, you need to do to get in line with the new regulations.
Typically, businesses are going to need to:
- Work out where their weaknesses are, and resolve them – most of it is common sense;
- Define a policy for how you collect and process personal data;
- Make that policy conspicuously available to the people whose data is covered by it;
- Stick to it. And make sure your employees stick to it too.
We’ve created a series of GDPR articles, in which we’ll delve further into more of the detail of what this really means for small businesses, including specific processes you can use to get yourself GDPR ready – in particular, check out our Small Business GDPR Action Plan below – a suggested step-by-step process for getting your data ‘house in order’.
The time to take this seriously is now – you can thank yourself for it later.