A zero tolerance directive from the EU is coming into force on the 25th of May 2018. It’s the General Data Protection Regulation (GDPR) and will completely change how every organisation, business and charity will manage personal data.
GDPR is creating panic among many businesses and some are still not facing the fact they must adapt or be penalised.
The reality for UK businesses is GDPR will impact every company, big and small, who are active in Europe and will remain relevant post-Brexit.
As a business adviser I’m keen to stress why you must evaluate your business processes in line with future GDPR legislation. Also outline the steps you and your employees can take to ensure your business is GDPR ready in May 18.
Remember you still have 6 months before GDPR-Day and with the right measures in place now you will be GDPR ready in spring next year.
What is GDPR?
Put simply GDPR is an EU directive that is extending the rights relating to personal data held by all organisations.
Who will GDPR affect?
It will affect every organisation that handles personal data. The definition of data includes current employees, former employees, previous job applicants ‘held on file’, suppliers and of course your customer base.
As you know most data breaches are more often than not down to mishandling of data, human error or security issues. First step you can take to protect your business is implement a GDPR training program for all staff and put in place robust policies aligned with key principles of GDPR.
The key areas to consider for your training program and GDPR policy include:
What will change for data handling?
The fundamental rights of how we obtain and store data will change under GDPR legislation. You must review how you collect, secure, transfer and delete data. What’s more you must be ready to handle data requests within a 30 day time period.
Who is responsible for managing Data
Now your staff understand GDPR and your policies are in place you must name a Data Protection Officer (DPO) if your organisation handles large volumes and a variety of data. However, if you are a smaller business handling low volume of data a Data Controller is allocated responsibility.
The next step is to carry out a detailed audit of all data you hold on paper and online.
Your Data Audit should include:
- Identify Volume of data stored
- Categorise variety of data records stored
- How data was obtained
- How consent was obtained
- Identify where data stored
- Length of time you store data
- Evaluate you data security
- Manage requests for data
- How you exchange and transfer data
From the 25th of May you must ensure personal data is collected accurately and explain clearly the purpose of collecting data and record the consent. One way to support this is by investing in a good CRM system like Mail chimp or ZoHo.
Here’s a simple checklist to sense check your data request policy:
Consent must be
- Clear statement and positive action
- Freely given
- Easy to opt out
Must not be
- Pre-ticked boxes
- Not condition of receiving service
- Confusing language
Like all legislation it can be open to interpretation leaving you open to misinterpretation and worse still face financial penalties. Word of warning; the fines associated with the new directive are hefty with fines up to €20,000,000 or 4% of your global turnover – whichever amount is higher.
In Summary I would recommend:
- Review all data on file and how you collect it – ASAP
- Raise GDPR awareness among your staff
- Establish Robust GDPR Company policy
- Issue GDPR communications to staff, suppliers and customers
- Finally, ensure you only hold data you need and that it has been obtained correctly.
How are Accountants’ clients affected?
The biggest challenge for accountants is the way clients’ transfer and exchange sensitive data. We can no longer email client accounts and exchange financial information this way. At Murrison & Wilson we use Iris Open Space to securely transfer data back and forth between ourselves and our clients. You can find out more About Open Space on our Iris information page.
The price to pay for getting this wrong is extremely high. The reputation of your business is at stake and high cost to your business if you have to pay out substantial fines. There’s no room for even one mistake. Investing in the right systems to support your business is a fraction of the cost you could pay in fines.
Don’t wait until the 25th of May. Kickstart your GDPR change today.
Simon Murrison, CA
Murrison & Wilson’s Business Expert