On May 25th 2018 the new European General Data Protection Regulation (GDPR) comes in force. It is then the responsibility of every business and organization in the EU to make sure that the privacy of their relations (customers, prospects, suppliers, staff, members, volunteers, patients etc.) is secure. Businesses not taking appropriate measures can be fined.
What does this mean to businesses?
If, for example, one of your customers receives an invoice from you but because of a mistake the invoice was meant for another customer, then you have invaded the privacy of the ‘other’ customer by sending their name and address as well as information about their purchase to someone else. The ‘other’ customer could complain to the Supervisory Authority who could issue a large fine. Apart from the fine there may be negative publicity and a loss of custom, a financial consequence that no business needs.
Why do we need a privacy regulation?
Before internet the only way to acquire personal data was to ask for it or steal it – quite straightforward. Since the internet has changed the way we think and do, information is collected and stored in more ways and volume than we can ever imagine. Enter your name in Google and see what information about you is freely available. Try your telephone number or address – can be surprising. Privacy regulations are needed to help control the misuse of our ‘private’ information.
Every business and organization has relations. To keep track of relations you need some ‘private’ information such as name, address, telephone number, email. You may have information such as bank account number, contact’s role, contact history, discount allowed, the list is endless. All this information is most probably stored digitally. If it is on paper then it is most probably stored in a filing cabinet which can be locked. Can your digital data be secured?
From the ‘relations’ side we give businesses or organizations private details freely, information such as your address when ordering something online. Sometimes we give private information in exchange for services such as filling in a short questionnaire or in exchange for a free account. As a consumer we expect our information to be handled with respect and only used for our benefit.
Right, we know why we have a privacy regulation but what must our business do to comply?
There are a number of actions a business can carry out to improve data security.
- Audit your data sources: What data do you have and collect? Where and how do you keep it? What do you use it for? Make an inventory and keep it up to date.
- Use a GOOD virus checker and keep it up to date. Free virus checker versions are OK but restricted in functions so a small investment in a complete application is recommended.
- Change passwords regularly. Put a reminder in your agenda. Make sure the passwords are complex; there is information and tools on the internet to help with this.
- If you can afford it, arrange with a local IT support company for a regular PC/Network maintenance and security check (as you do with your car).
- Never fall into trap of “Microsoft Security” cold calls. Microsoft does not do this.
- Ignore email from unknown sources and never open attachments or links you are not sure about. Banks do not email you for information.
- Using (approved) Cloud services for storage is sometimes safer than your own storage. The large companies that offer cloud storage (such as Google, Amazon, Microsoft, Dropbox etc.) have the resources to provide very secure services.
- Keep sensitive information separate from the data you use every day. You may need name and telephone numbers regularly but bank account information only when invoicing so store it separately and only link by keys/id when needed.
- Don’t save sensitive data on memory sticks – they are too easy to lose.
- If you have staff, make sure their access to your data is removed if they leave your business/organization. If they change function then make sure they only have access to data relevant to their new function.
- Be conscious of the responsibility you have to protect your relation’s information. Ensure every member of your business is also aware.
- Make every privacy effort you can and document the actions so that they can be used as proof that every effort has been made.
GDPR rules are new and only once they are active will we see how they work in practice. Compliance will be tested and fines will be made. You must make every effort to protect your relation’s data; no business is too small to comply.
For detailed information on GDPR visit https://www.eugdpr.org/