The answer is probably going to be, yes! However, there could be a possibility of you not completely understanding what it actually means and how it could affect your business. This overview highlights the key points of the GDPR (General Data Protection Regulation) to help you understand what’s changing and how it’s changing.
Who does the GDPR apply to?
There are many things that are certain in life, if you live in the UK, there’s going to be more rain than actual sunshine throughout the summer months, you’re going to completely confused when your local supermarket starts displaying Christmas décor in August and that due to the GDPR you most likely have a product, service that could most probably cost you 20 million euros, if you don’t adhere to the General Data Protection Regulations. What this means is, as a business owner, you will have to ask your customers to opt-in for you to collect and use their personal data.
What do I have to do now?
Is a question that you’ve probably not really thought of (if you have, you are definitely a very organised person). The simple answer is, make sure you put someone in charge that know exactly what they’re doing, as GDPR is about process more than anything else. GDPR has really strict rules in place to ensure the data protection officer has the resources, independence, and senior management access needed to do their job effectively. What this means is, that most business will probably look to either hire or acquire ‘outside resource’ to help them with the responsibility for defying procedures to ensure compliance. This person needs to be an expert resource who builds awareness and trains people within the company about compliance procedures and is the point of contact for external authorities when there’s a question, complaint, or, heaven forbid, breach to report. If you’re thinking, “shouldn’t we be doing all of this anyway?”, then you’re absolutely right! The GDPR is essentially forcing you do this, rather than adding it to the ‘oh I’ll look at that later’ pile.
It would also be useful to check that your business meets all the technical requirements, for example the GDPR has an explicit requirement that you and your company responds to any customer complaints within 30 working days, by sharing or deleted any data as per request or ensuring that you keep a record of who sees which data and you will need to report breaches within 72 hours!
However, all of the above will only work, if you have all procedures in place. GDPR requires various document procedures, including defining the legal basis for data that you acquire or delivery of privacy notices. Although, GDPR does tend to avoid specifically outlining the process details, which isn’t very helpful to anyone! The burden is put to you and your company to demonstrate that the processes that you’ve put in place are suitable for each situation that you may face as an organisation.
That’s a good question, thanks for asking! Aside from hiring a new member of staff and making sure that you have all the right procedures in place, we have a simple solution for you that will, or hopefully, should make all of the above a little bit easier for you and your staff. If you are keen to find out more about our bespoke solution, just get in touch and speak to the team and they’ll be happy to answer any questions you may have!