GDPR is all about introducing greater transparency, increased accountability and enhanced privacy rights for all of us. For example, we can manage our permissions to tech platforms as a result of being notified about the data they hold and collect on us. These new rights are necessary in a world where the likes of Google collect the most mind boggling information.
The fact that GDPR requires tech companies to design their platforms with privacy built in, means a “take it or leave it” stance will no longer be the prevailing approach. The legislation has teeth. For example, there are eye watering fines for companies that ignore the regulations, which will have even the richest of them pay attention.
Complying with GDPR
GDPR is all encompassing, impacting so many different areas of a business. So, it can be overwhelming.
A good place to start if you’re a small business wanting to understand your obligations under GDPR is the ICO’s site. There are plenty of resources provided to help you to comply, although I suspect the majority of small businesses will ultimately need help because it’s one thing to know about GDPR, but it’s quite another to know what to focus on when attempting to comply with the new laws given that there is so much to do.
There are certain actions that every business should be taking immediately to reduce GDPR risks. And that’s not the much publicised question whether or not to ask for consent to market to your lists which I previously wrote about on this blog GDPR – Why Consent Should Be Used As A Last Resort. Sadly too many advisers out there are still telling businesses that obtaining specific consent for everything is the way to go, which will place huge administrative burdens on those businesses that follow such blanket advice.
There are 3 steps every business should be taking in the light of the GDPR changes, that many businesses may be missing given the spotlight on email marketing. That is, to consider the data they hold in the cloud and take simple basic measures, such as:
- Use strong passwords. If employees, virtual assistants, or contractors (such as your website development company) have access to your data, then are they using strong passwords so as to keep your data safe? They could easily compromise your security by their actions.
- You should introduce clauses and contracts with your freelancers, and contractors. Explain the impact of GDPR. Are they using laptops with encryption? Do they know not to log into your sites in internet cafés? Are they always logging off when they leave their computers unattended? These basics are essential. You are responsible for educating your workers, contractors and other team members about GDPR and the actions they need to take so they don’t compromise security of your data or otherwise cause you to be in breach.
- You want to let contractors such as your digital marketing agency, virtual assistance service, or web developers know that using outsourced staff and giving others access to your site without your knowledge is not permitted without your specific consent. These entities are processors of your data. They should not be appointing sub processors without your knowledge. You need to know if your agency is giving access to your data to a third party. Otherwise, what is the point of your doing due diligence checks when taking on an agency, only for them to engage a temporary helper (possibly using a less rigorous vetting exercise than you employ) to assist them when providing their services to you?
If you’ve not yet addressed these GDPR issues in your business then don’t delay as they are, in my view, one of the greatest security risks small businesses face.
If, on the other hand, you are an agency using outsourced team members to deliver services such as website design, form building, online questionnaire development, search engine optimisation, Facebook or Google advertising, and the like, then your business model may need some adjusting. You should be thinking about what your clients will need from you, and pre-empting their concerns.
With just over a month to go, and many contracts and steps to take immediately, you can’t afford to leave it any longer. While it’s unlikely you will face fines for failing to address every aspect of GDPR, doing nothing is not a sensible option. Come 25 May, your website will be a tell tale sign if you’ve not taken any steps to comply with GDPR.
We have various service options to help clients, ranging from access to templates and clauses, to providing some consultancy, or taking care of the entire process for you. Get in touch if you have would like a quote or have any questions.