Get in touch:

Tags: , , , , , , ,

As you’re no doubt aware, the General Data Protection Regulation (GDPR) came into force on 18th May 2018. The legislation replaces the old Data Protection Act and places new obligations on business owners over how they collect, store and manage personal data about their clients and contacts.

GDPR affects every company outside the USA that collects data about people living in the European Union. The definition of ‘personal data’ has been expanded under the new rule to include things like IP addresses and mobile phone identifiers, which weren’t included under the Data Protection Act. This reflects the fact that more personal identifiers are around than ever before, and many of them are created and stored digitally.

It’s nearly six months since GDPR was introduced, so we thought we’d provide a quick reminder of why it’s important for your business to comply and some of the things you might need to do or change to avoid falling foul of the law.

Why you need to comply

The main reason is that your business could be heavily fined if you suffer a data breach due to cyber crime or another form of data theft. The amount of the fine can be up to 4% of your annual turnover or €20 million, whichever is the greater. You’ll also have the cost and hassle of recovering the data – if this proves to be possible. If a data breach takes place in your business, you’re legally obliged to tell the Information Commissioner within 72 hours.

As well as the financial risks of non-compliance, there’s also the damage that could be done to your reputation if it gets around that you’re not treating people’s personal data correctly. There’s also a more positive reason to toe the line: you can let your customers, suppliers and other contacts know that you’re acting responsibly and ethically when it comes to storing their personal information. This can provide valuable peace of mind.

Your obligations under GDPR

Without going into too much detail, the legislation places eight obligations on businesses. You must:

  • Treat personal data fairly and compliantly
  • Obtain and use it only for the purposes you specify
  • Only hold adequate and relevant information, and not collect data you don’t need
  • Keep your files accurate and up to date
  • Delete any data you no longer need, or on request
  • Store and manage the data with consumer rights in mind
  • Implement the right data security systems and test them regularly
  • Not send any personal data abroad without adequate legal protection in place.

What you need to do

  • Back up your data

The most important thing to do is make sure your data backup systems are in place and working properly. For example, if you only back up customer data once a week, that’s not good enough as files could easily be lost if you suffer a breach.

The best approach is to back up to a secure online data storage service (an online file sharing service might be OK for smaller businesses) in real-time and take a physical backup every day as well. The physical backup should be removed from the premises at the end of the day.

It’s important that carrying out and checking on the backup is entrusted to a responsible person, not a junior member of staff. We also recommend you put a reporting system in place that confirms the backup has taken place, whether or not it was successful, and flags up any other issues you need to be aware of.

  • Implement appropriate IT security systems

The level and type of IT security you need will depend on the size and nature of your business. Basic protection like a firewall and enterprise-grade antivirus software are absolute ‘musts’. There are lots of other solutions on the market that you might need as well. These include anti-spam filtering, web and email filtering, high security wi-fi and advanced network security appliances.

As well as your physical systems, you should also put a Disaster Recovery Plan in place which addresses all the risks to your business, not just those posed by cyber crime. It’s a requirement of GDPR that the Plan is implemented and then tested regularly, so this is a key obligation.

  • Privacy Notice & other policies

You’ve probably noticed that the majority of websites display a clear message about Cookies and how these are collected and stored as soon as you visit the site. You’ll often need to click an acceptance button to continue to view the web pages. This is another requirement under GDPR. Limited companies also need to display their registered address, company number and VAT number somewhere on the site – usually in the footer.

On top of the above, you’ll need to create and upload a Privacy Notice and Cookie Policy to your website. These are generic documents that are easy to put together from templates you can find online. If you store customer data offline as well as online, this will need to be reflected in the Privacy Notice, which can be combined with a general Privacy Policy.

We also recommend you create and implement a Computer Use & IT Security Policy and train your staff on best practice. The initial training should be followed up with regular refresher sessions.

All sound like hard work? Jalapeno can help!

Complying with GDPR might sound a bit arduous and we understand why you might be avoiding it. But we can’t emphasise enough how important it is. Jalapeno can help by identifying the precise steps you need to take to comply with the law and protect your business from cyber crime and other risks.

Our Monitor, Manage and Mentor approach to IT support provides everything you need to get in line with GDPR and stay that way. Contact us today to find out more and discuss your requirements. Or visit our website to book a FREE systems audit today.