A beginners guide to GDPR for business
Our guest blog today is by Bill Reed, founder and director of Magic Frog Ltd, a business consultancy service in Gateshead. Bill is a GDPR expert and he is here to explain more on this important subject.
GDPR stands for General Data Protection Regulation. It is Europe's "new" framework for data protection laws. Not so new though as GDPR came into law back in May 2018. Although GDPR has been with us for more than two years now, many businesses still do not know what it means for them.
GDPR governs the processing of all "personal data". It is enforced by the Information Commissioner's Office (ICO). There is a perception that GDPR is a "European" law. It is not. GDPR applies equally to businesses who only have UK-based customers.
Personal data is anything that can identify an individual and can include names, postal addresses, email addresses, photographs and video, cookies, and health & biometric data (note that there are special rules for health & biometric data.)
If you are a person who chooses to collect and use such personal data, then you are a data controller. With very few exceptions, data controllers should register with ICO (ico.org.uk).
There is a tendency for small businesses, particularly sole traders, to think GDPR does not apply to them. Size really doesn't matter when it comes to GDPR. Anyone who is collecting or using personal data must comply with the principles of GDPR.
The principles of GDPR, i.e. what your customers and clients can expect, are:
- Lawfulness, fairness, and transparency - stay within the law and be open and honest with your customers and clients
- Purpose limitation - only use data for what you say you will use it
- Data minimisation - only collect the data you need
- Accuracy - your customer's data is correct and up to date
- Storage limitation - only keep and use it for as long as you legitimately need it
- Integrity and confidentiality (security) - you will keep personal data safe
- Accountability - it is your fault if anything goes wrong!
You might also be thinking, "but everyone else is ignoring it". This is possibly your worst defence if your company is challenged on GDPR. Other common thoughts are "I haven't got the time for this", and "it's too expensive!" I would hope that if you have read this far, then you will be beginning to understand you have to come to terms with GDPR. Make some time for it. GDPR does not have to be expensive either - there is nothing in GDPR that you cannot do yourself. All you need is a little guidance.
Anyone who thinks that if they can stay under the radar until after BREXIT needs to think again. The UK government will be fully adopting GDPR post BREXIT when it will become "UK GDPR".
Do not get caught with your (GDPR) head in the sand, thinking "I'm too small, they won't come after me." The fine for not registering is ten times the registration fee. The maximum fine for a data breach is approximately £18 million."
Check out Bill's website for more info on GDPR https://magic-frog.co.uk/.
f you would like support to start your own business please get in touch with our team today. We run a start up programme 'Enterprise Support in the North East 2' which is part funded by the European Development Fund 2020.
