Prepare your business for GDPR

We’re now less than a year away from General Data Protection Regulation (GDPR) coming into force. This is a new regulation which will harmonise data protection laws for consumers in the EU. And it will apply to all businesses that collect personal data from their customers.




By jennie
06.06.17 / News

The UK Information Commissioner Elizabeth Denham has warned that some small businesses might still be unaware that a new regime is looming. Back in February, a Direct Marketing Association survey found that only 26% of companies believed their business are unprepared for the GDPR regulation. However, there were only two-thirds who thought they would be fully compliant by 25th May 2018.

GDPR is a legislative act, which the UK Government has said it will abide by, regardless of Brexit. Fines for a data breach will either be £17m, or 4 per cent of global annual revenue, whichever is highest. So you need to start to get to grips with understand the ensuring requirements of GDPR, so your business will be ready.

Unfortunately, there are no shortcuts to compliance. Although GDPR retains many of the principles from the Data Protection Act, even if you’re compliant now, there are a number of critical changes. Even for SMEs, this will mean a lot of preparatory work to examine and document your current data protection measures, document all the information you hold on customers and ensure that all your data collection and procedures will be GDPR-compliant.

Don’t bury your head in the sand

You might be a small business, but if your company uses or holds the personal data of an EU resident, you’re going to need to abide by GDPR,  The key to making your business compliant with GDPR is to start preparing now. If you can use the expertise of others in your company, the first step is to start to review your current procedures and develop new ones where needed.

It’s vital that someone senior from within your business leads and represents GDPR. They may need to approve budget if investment is required. Or, make fundamental decisions about changing the way you manage data. If you’re not able to call upon a large team from within your business, then you may want to consider talking to external experts.

If you already have internal IT resource, or an outsourced partner, they can help review your IT security policy to ensure it will comply with GDPR. A lawyer with data protection experience can also help you understand your responsibilities and help update your privacy policy, or other documents.

What steps you can take now

Review and update your Privacy Policy

One of the aims of the GDPR is to ensure that companies build privacy controls into everything that they do. So you’ll need to ensure that all products, processes or services have the right privacy measures in place. And anything new your business develops has privacy built in.

Your Privacy Policy needs to be written so your customers can understand it. And it will need to comply with GDPR requirements. There’s some useful guidance from the Information Commissioner’s Office (ICO) on Privacy Policies. A well-written policy demonstrates that your business is serious about protecting privacy and customer data. You can find template Privacy Policies online which you can adapt for your business. But, it would be sensible to get a lawyer to review what you come up with. Some things you’ll need to consider when writing your policy:

  • what personal information you ask customers for and where (i.e. what data you collect when an an order is placed, or when a service is provided)
  • why you need that information and what you’ll use it for
  • how you store that data
  • how is it transferred?
  • is it disclosed to anyone else?
  • how you delete it

IT security and managing customer data

You’ll need to review your current IT security policy and how you collect, use and store any customer data. GDPR gives your customers the right to ask you to share and/or erase their personal data. Probably the best place to start is to look at your current systems and gather information. You need to be able to track, disclose and delete data easily if you’re asked to. First of all you’ll need to look at:

  • What personal data do you collect?
  • Can you track and erase personal data?
  • Do you store any personal data?
  • Where is personal data stored (on computers, servers, in the cloud)?
  • How is personal data used?
  • Is data disclosed to anyone else, or shared/transferred?
  • How do you backup data?
  • Do you have a business continuity plan and a disaster recovery plan?

Managing a data breach

The GDPR requires businesses to inform customers about data breaches within 72 hours of the breach occurring. A breach notification plan helps define what needs to happen if a customer’s data is leaked. Who is responsible for taking the appropriate action and what that will be.

Your plan needs to document who in your company is responsible for reporting a breach, how the breach is then documented and how the customer is informed. You could design a simple flowchart to show what happens, who is responsible and the timings and the method of communication. Write your company’s breach notification letters or emails now; so you’re ready if a breach occurs.

Get ready now!

If you’ve not yet started to prepare for GDPR, there’s no need to panic. Start planning now to ensure you’re ready for next May, because preparation is key. If you’re not sure where to begin, we’ve provided some useful links below.

How Dr Logic can help

We’ve already started to prepare for GDPR and will be happy to talk to you about how to get started. However, if you’d like more comprehensive support, we can also work with you on your own GDPR project. Anything from helping you develop your plans for compliance, advice about IT security or support in implementing any new processes that might be needed.

Just get in touch if you’d like to know more about our GDPR consultancy services.

Useful links & further reading

An overview of GDPR from the ICO

A useful checklist for companies from the ICO

Privacy by design – how to embed privacy into your products, processes and services

Leave a Reply

Your email address will not be published. Required fields are marked *