October 10, 2017
If you do business with people in the European Union (EU), then you have eight months to make sure your data protection practices comply with sweeping new privacy rules – or you could face heavy penalties.
Starting in May 2018, any business in any country that holds, transmits or processes personal data on EU citizens will be subject to the General Data Protection Regulation (GDPR). This new regulation strengthens requirements around many aspects of using personal data, including consent, governance and accountability, breach notification and destruction.
It is the right time to make sure your data protection practices meet the highest standard, whether or not your business will be subject to the GDPR when it comes into effect. In today’s cross-border business environment, if you don’t already have customers or partners in the EU, you could in the future. Either way, strengthening your information security practices protects your customers, employees and your reputation from the risk of a data breach. And that’s just good for business.
With just a few short months left before GDPR comes into effect, here are a few tips to help you prepare your small business for the new privacy regulation:
Good data protection practices start with knowing exactly what data you have and what it’s used for. Make sure you can answer questions such as: What data do you store on hard drives, servers or in paper files? What type of consent do you have from individuals to use their data? Do you know the privacy policies your third-party suppliers have in place?
That last question is critical for small businesses that rely on third parties for services like customer support or cloud storage. Anywhere your customer data is processed and stored – including with third parties – could be subject to GDPR requirements. Small businesses must be diligent with not only their own data protection practices, but also those of their partners, suppliers and vendors.
The ability to reproduce, share or erase individuals’ data upon request is a key component of the GDPR. For small businesses that lack formalized data handling processes, a request from a single customer for a copy of their data could be onerous, especially if you have to retrieve it from multiple sources. Once you have an inventory of all personal data you handle, get ahead of the curve by creating a system for storing and disposing of data that includes a comprehensive document management process.
An important requirement of the GDPR is ‘privacy by design’. In some cases, this requires businesses to build certain data protection measures into staff training and human resource policies.
Whether or not you’re subject to GDPR, it’s good practice to educate employees and build strong information security habits. Implement Privacy Impact Assessments (PIAs) at the beginning of any new project or initiative to identify whether sensitive data will be put at risk. And consider introducing a Clean Desk policy, an inexpensive and effective way to ensure sensitive information is not left lying around.
Give one of your employees (or yourself!) the responsibility to stay up-to-date on legal requirements. Make monitoring the news for information on policy updates part of their daily routine. Consider adding this task to the job description, too. Regardless of size, it is always good practice to have someone responsible for information security in your business.
Don’t take your chances when it comes to the GDPR. The financial penalties and reputational damage from a data breach could be crippling for a small business. When it comes to changes in legislation, always consult a legal expert to understand your obligations.
Start Protecting Your Business