Unless you’ve been living under a rock, or just outside of Europe, you will have heard that the deadline for GDPR is coming on 25th May. Whether you’re aware of it or not, if you run a business then this will affect YOU. What is less clear, however, is how. Even if you’re business is based outside of the EU, if you supply goods or services within the EU then you must still comply with the new regulations.
What is GDPR?
GDPR stands for “General Data Protection Regulation” and is a regulation within EU law that covers data protection, replacing a 1995 directive. This will change how personal data is used by companies and customers must opt in before their details are used, whether it is online or offline businesses.
In short, it is up to your business to ensure that your customers’ data is protected and used appropriately. This can include anything from:
- Name and other methods of identification
- Security information
- Health data
- Demographics, such as gender or race
- Sexual orientation
- Political affiliations
What do I need to do?
There are many articles online which outline what GDPR and even some which give advice on what steps your business should take to protect itself. However, very few articles provide the most important piece of advice of them all:
Hire a professional!
There, I said it. You can read as many guides as you like, but in the end it is YOUR responsibility to ensure that you comply with the regulations. Do not take any chances by making assumptions about your responsibilities. Hire a reputable accountancy firm to tell you exactly what you need to do. Not only will this give you peace of mind, it will also relieve some of the liability from your shoulders (if they give bad advice, sue!)
However, there are some basic steps you can follow:
- If you want to add a customer’s details to your mailing list, they must explicitly give permission. Therefore, any tick-boxes must be opt-in and not already ticked.
- Existing mailing lists must provide evidence that customers opted in.
- DO NOT sell details to third parties. Just don’t do it. No one will thank you if you do.
- Ensure that any personal data stored online is password protected (and for heaven’s sake, don’t have ‘password123’ as your password).
There are many other steps to follow, which is why a professional will be needed to inspect how you handle data, but these steps are no-brainers.
What are the consequences?
The consequences of not complying with GDPR regulations can be dire. The limit for fines is up to €20 million in some cases. However, this is unlikely to be handed out if you own a local hair salon. Factors which define the size of the fine depend on, but is not confined to:
- The seriousness of the data breach
- Whether there was any intent
- What preventative action was already taken
- Type of information that was breached
- Previous infringments