If you need help with security, virus protection, backups etc please do not hesitate to get in touch with us!
GDPR is centred on protecting consumer rights and ensuring their data is properly protected by the organisation to whom it has been entrusted. The legislation is built upon six fundamentals that any small business must become familiar with:
Data must be collected for a specific reason
All data must be processed fairly
Its usage should be limited to relevant processes only
All data should be up to date and accurate
It must not be retained for longer than is necessary
It must be protected by sufficient security measures
Understanding these areas is crucial, and your organisation must act to ensure they remain within the law:
Carry out an audit:
You’ll often be surprised by how much data you have on file, especially if you’re a small business that’s been up and running for several years. If you’re going to protect your data, you need to know what you have. Outdated data, or information that’s no longer relevant needs to be removed from your systems if you’re to comply with GDPR. If your company employs more than 250 individuals you are required to maintain a record of all your organisation’s personal data processing activities internally, and to make them available to the regulator upon request.
Check-in with your suppliers:
Another important part of the audit process is checking that your suppliers are also compliant and that your contracts with them are futureproof. Many SMEs work with an entire network of third-party suppliers, but you will still be liable if they fail to protect your data in an adequate fashion. That means that you need to include specific requirements in your contracts with your suppliers. For example, in the event of a data breach, your supplier is required to notify you without undue delay after becoming aware of the breach. More generally, there needs to be a set of written terms requiring the supplier to demonstrate their own compliance with the GDPR and support you in relation to data protection matters. You should be thinking about:
Identifying existing contracts with suppliers and ensuring a data processing agreement is put in place which complies with the specific GDPR contractual requirements.
Ensuring suppliers are reviewing their own data security
Create a paper trail and classify it:
By having a record of all data you’ve collected, you’ll be able to provide evidence that you’re compliant, and if you have a small breach, you’ll be able to quickly rectify it. You also need to make sure any personal information is classified accordingly, so you know which pieces of data you’re storing need the most protection.
Remember your customers and colleagues are entitled to copies of information you hold about them and, in some instances, may require you to erase the information – both of which require you knowing where your information is!
Spread the word:
It’s crucial that all your team are conscious of the changes coming into place. Make sure you’ve explained to them what’s happening, when and why. It’s also important to have a clear Data Protection policy regarding how you handle and store personal data across your organisation, so you can be sure everyone is on the same page.
Keep up the training. Make sure your staff practices good information security process, from using complex passwords, to changing them frequently, and not sharing these passwords with other colleagues or unauthorised persons.
You should treat your customer and employee information in the same way that you would treat your own information. You wouldn’t leave your bank statement, or passport lying around, would you?
Be tech ready:
It’s all well and good having the theory, processes, and people on board with GDPR, but if your tech isn’t up to the job you could find yourself in serious trouble. Take the time to check that all your devices are encrypted with the latest security software, so you can rest assured that your data is protected.
Review the way in which you collect, store and destroy documents which might include information on your customers or employees. Some questions you might consider asking yourself:
Is our premises secure from outside intruders? E.g. CCTV, alarms etc.
Are paper documents held securely in locked cabinets? As an alternative, can we scan any paper documents and hold these electronically?
Are visitors required to sign in and wear a pass?
Do your co-workers operate a clear desk policy and tidy away sensitive documents when away from their desk?
Am I satisfied that my colleagues know how to detect a suspicious email (which may contain viruses designed to steal data from your PCs)?
Does my company dispose of such documents in confidential waste bins?
Keep up the good work:
GDPR isn’t about ticking boxes and forgetting about it. It’s something you’re always going to need to be aware of, so make sure to continue testing, monitoring, and bettering your processes. Dedicating a little time each month to check you’re compliant, could save you a big headache when it comes to being audited.
Ultimately, SMEs needn’t feel burdened by GDPR. There is time to get your house in order and for many it will take only a few minor changes to be compliant. Just remember to document everything you’re doing, and keep your customer’s rights at the heart of everything you do, that way you’ll keep them, and the regulator, happy.