There are two ways of looking at the new General Data Protection Regulation, or GDPR as it's become known across the land, if you're a small business in the UK.
The first is the end of the world scenario which generally begins by saying ‘Oh my God, what a massive drag, it's all about box ticking, it's going to cost me money and the EU are going to shut me down.’
The second is altogether more positive and leaves you feeling organised, confident you're not going to prison, and as if all your customers, staff and mailing list members are deeply in love with you.
The reality, as with most things in the world, is probably somewhere in the middle.
I've been working on ensuring Corporation Pop has everything in line and even for a company with just seventeen staff it's been a big old task. That being said, once you get your head around what's needed, it's mostly just about being organised and knowing how different aspects of your business work.
As an agency we had to consider the ‘GDPR journey’ (I just rolled my eyes at that too) from two sides – one from the point of view of a business that controls personal data such as staff records, marketing databases and our own internal projects, and another where we are processing data our clients have entrusted us with, which they control.
The key for me though was understanding exactly that – our relationship to the data, or rather to the real life people whose data this is. For let us not forget that while we are all banging on about data controllers, processors, security measures, audits and consent, what we're really dealing with here is valuable information about people like you and me. People who might have their online identity cloned and money stolen from them, people who might have personal aspects of their lives like their health records or whereabouts last weekend, leaked to others they don't want to know those things, or simply people, like you and me, that are sick to the back teeth of unsolicited emails and phone calls trying to coerce you, sell you stuff or trick you into becoming a victim of fraud.
So that's been my point of view, it is a bit of a drag, it is an onerous task, but I need to show as much respect to those people whose data we're entrusted with as I want others to do with mine. It's ultimately about integrity and as a business what is better for your reputation and your bottom line than integrity?
So what have I learned? Well, lots of things really.
Firstly contracts are key. The agreement you have with your client or supplier really highlights who is responsible and liable for what when it comes to data, there should be no grey area once this is in place and, in the sometimes murky land of data, that is invaluable. If you’re not at that stage yet then I’d suggest you either get onto it sharpish or prompt your client to do so because after the enforcement date of 25th May it’s a legal requirement and could potentially interrupt your business flow.
Updating and writing policies and procedures with regard to personal data adds a lot of clarity not just for you but for your whole team, some of whom (whom? who? which? *shrugs*) will never have had to consider data protection in any great detail before. Think about how your business manages personal data, compare it to the requirements under the GDPR, and then write down what you will do. Among others we have policies on data retention, cyber security and consent – much of which has been solidly guided* from the ICO website.
While we’re on it – and this is my biggest piece of advice – use the ICO website. I repeat USE THE ICO WEBSITE. It is my go-to for everything GDPR related and as well as translating the legislation from it’s sometimes impenetrable gobbledygook into plain English, it also offers lots of easily understandable examples and handy checklists. So use it, okay?
My final word on the matter is that if you haven’t looked at GDPR properly yet, then do so. There may be a bunch of stuff you hadn’t considered – are the servers outside the EU? Are you sitting on dead data that should have been deleted? Do your whole team know what they should do if there’s a data breach?
So set yourself some time to do a deep dive into it and don’t panic if it’s not quite all there by the end of May, in the event of a problem you’ll get big brownie points from the ICO if you can show that you’re at least on the path to compliance.
Good luck and Godspeed!