The 25th May has happened. Been and gone. Like the millennium bug and the many predictions of the end of the world, that day passed as many others do for sole traders and small business owners in the UK. However, in the days and weeks before the 25th, many people were desperately worried, and on the verge of panic, over what the new General Data Protection Regulations (GDPR) and the Data Protection Act 2018 meant for them. All kinds of scare stories – of huge fines, inspectors with draconian powers and significant loss of business to name but three – circulated. So what now? Did you miss the deadline?
Please don’t panic. Or spend too much of your precious business time fretting over compliance. The Information Commissioner’s Office (ICO) has come out to allay fears and reassure small firms and organisations that it is the big players who will be targetted first should any non-compliance be spotted. If you did struggle to make sure you made the grade, and missed the deadline, you are far from alone. It has been estimated that up to a third of small businesses haven’t even begun preparations, and with the ICOs reassurance that this is about failure and breach rather than inspection of kit, so to speak, you should be able to take a deep breath and approach the situation calmly.
You can’t bury your head in the sand about GDPR – there are certain parts of your business that simply have to comply. However, GDPR just revises data protection laws that already existed. In most cases, it is unnecessary for any SME to employ a specialist consultant, as the Information Commissioner’s Office (ICO.org.uk) features all the practical advice that most organisations will need.
The key things to deal with as a priority are:
Documenting what personal data your business holds (electronically or on paper), where it came from and who you share it with.
Making sure you ask for consent to hold this data and record that consent
Ensuring you have an up to date privacy notice to share with those people whose data you hold
Making sure that those whose data you hold have an easy way to ensure you delete their data when asked. (This might include an easy way to unsubscribe to newsletters for example)
If there was a breach – for example, if you sent an email including the contact details of a client to the wrong recipient – can you easily identify deal with and report that breach?
But, simply put, you should have been doing many of these things already, if you operate with good solid business processes. Much of the detail involved in GDPR just doesn’t apply to the smallest businesses, and most don’t even need a dedicated Data Protection Officer.
So it isn’t too late to ensure you feel comfortable that the way you hold other people’s personal data complies with GDPR. Treat their information with the respect it deserves and you are most of the way there.