When it comes to implementing changes to comply with GDPR and the new UK data protection laws, many small businesses are still asking that very question.
From 25th May, the new General Data Protection Regulations (GDPR) replaced the current UK Data Protection Act. A visit to the UK Information Commissioner’s website will give you a wider understanding (www.ico.org.uk), but here are four areas to consider to get you started:
Think about what data you currently have, and where it is kept.
This includes both paper and electronic data, such as registration forms, emails, databases, spreadsheets, CRM systems, quotes or invoices. Having a good understanding of what data you have is critical. Remember the data may be stored in 3rd party systems such as cloud-based accounting platforms.
Understand what you want to use the data for, and whether the regulations allow you to do so.
Just because you have the data today, doesn’t mean you’ll have the right to keep it or use it after May. A key aim of the new Regulations is to restore ownership of an individual’s data to the individual, and you may well be required to gain the explicit content of that individual before continuing to use their data.
Understand what tools and systems you have in place, and what changes you need to make to fulfil your responsibilities.
You’ll be expected to have appropriate controls and security in place for both paper-based and electronic records, through physical security measures (such as lockable filing cabinets) as well as IT Security.
Communicate your policy
You also have an obligation to inform people as to why you are collecting their data and what you intend to use it for, in concise, easy to understand and clear language, so if you advertise your services via a website you’ll probably need to include a privacy notice at least.
If you need a helping hand we can put you in touch with implementation experts like Sarah at Simply Operations, and of course we can offer help and advice on configuring your technology to gain tighter control over where your (customer’s) data is held and who can access it.