Since its introduction in May 2018, business owners have done a good job of adapting to GDPR compliance and no fines have been handed out by the ICO in the UK so far. That being said, as breach reporting has become mandatory, reported data breaches are up 15%. This shows that data breaches are becoming an increasing threat to businesses which could bring major fines down on home business owners who slip up.
And when even the ICO’s own website doesn’t fully conform to GDPR, getting it right as a small business owner is likely going to be no small task. The ICO doesn’t plan on coming down hard on business owners who aren’t fully compliant any time soon, but heavy fines could be on the horizon once the teething period is over.
What follows are a couple of common issues home business owners need to remember when making their data privacy plans to ensure they remain compliant and score well should the ICO decide to audit the business.
Storing and deleting data
GDPR affects all data which can be used to identify the subject, such as social, political, economic or health information. You are required to explain to your customers how their data will be stored and what assurances you can provide on its security while under your control.
GDPR also requires files to be kept for the shortest time possible, so planning how long client data needs to be held and whether it needs to be held at all after your services are finished will help keep your home business compliant.
Online businesses will also need to consider how their client data is disposed of and whether they need to invest in proper data disposal services to maintain compliance. Data destruction will typically be needed when computers and equipment are being recycled as sensitive data can remain on a computer even if the files are deleted. To stay fully GDPR compliant, the data should be wiped, scrambled and then the hardware shredded.
Disaster recovery plans
Because data protection is entirely down to you as the owner of your business, you will need to have plans in place for when something goes wrong and your client’s data is put in jeopardy. For online businesses, this could include cyber insurance or back-up servers to protect against denial of service or ransomware attacks but it will also include how you make sure all clients affected by a breach are notified in time and that they understand what you will be doing about it.
For those who aren’t cyber security experts but who hold a lot of personal data, cyber insurance might be the best avenue. Business owners could also consider contracting a cyber security consultant to help build your security plans and scheduling annual reviews to keep costs down.
The subject’s right of access
The GDPR also means clients have a right to be forgotten, meaning all the data you hold on them should be destroyed, and the right to know exactly what data you keep on them. Ensuring your data storage is carefully organised will help make these processes much easier.
Should a previous client request all the data you hold on them, it needs to be provided within a month of the request. Information clients can request include what data you are storing, how you are using it, how long it will continue to be stored and why. As home businesses are usually very small operations, getting a data storage plan in place first will help streamline this process if it ever comes up, saving you time to invest into other parts of your business.
Recording data processing procedures
Should the ICO choose to review your compliance, you will need to be able to show exactly how and why you process the data you do and how you considered the risks of storing sensitive data before gathering it. You will also need to show evidence of how you gained consent to gather and store information on clients to assure the ICO that you don’t hold information without any client’s knowledge.
Records you keep of your data processing procedures will need to include the how and why of your data collection and storage, the risk assessment you took and evidence of consent where it’s needed. Keeping this all centrally stored and readily available will make the ICO’s job much easier and help you gain a better score should an audit be undertaken.
Supply chain safety
Home businesses which form part of a supply chain will be at particular risk of exposure due to the regular transfer of data across different data holders. Many large-scale companies also don’t work with businesses that don’t hold similar data protection practices as theirs, meaning poor data privacy policies could cost you contracts.
Similarly, if your business sits in the middle of the chain, risking your data security by sharing sensitive data with businesses that operate poorer protections than yours could cost you money and reputation. Data protection is the responsibility of everyone involved in the gathering, storing and sharing of data so maintaining strong privacy and holding others to the same standards will keep your business safe even when the data is no longer under your control.
As the first ICO reports are emerging for businesses, SME owners will need to ensure their data protection is developed enough to avoid the major fines the ICO have the power to hand out.