The new General Data Protection Regulation (GDPR) comes into effect on 25th May and from that date businesses must have explicit consent from all contacts to use any of their personal data. Although the new GDPR rules may appear overkill for small businesses, there is no doubt action needs to be taken to protect themselves against claims for non compliance. Basically businesses need to be able to show that they have consent to hold and use data and have taken reasonable care to protect customer information.
Business owners need to review what information they hold and if they do not have consent to hold the data or if it is not necessary for their business then it needs to be deleted.
Having identified what information they hold the next step is to decide how this can be protected against either loss or misuse. In larger organisations this will mean restricting who can access data but in smaller organisations this may be impractical, so all employees need to aware of the need to protect data.
Data security will include both physical security such as keeping paper records locked away and protecting computer records by restricting access, encryption or password protection. Particular attention must be taken where data is taken off site on laptops or memory sticks or transferred electronically by email, etc. as this presents a high risk from data loss.
GDPR also gives people the right to know what data is held on them, how and why it is being used. They also have the right to be forgotten if they remove their consent.
Should the worst happen and there is a data breach then the Information Commissioners Office must be notified within 72 hours. They have the power to impose substantial fines where the business cannot show that they have not taken reasonable steps to prevent the data loss.