GDPR stands for General Data Protection Regulations. If your business stores or hosts personal data then you need to comply with GDPR. This involves registration, ensuring your systems are robust and also informing the relevant authority should you suffer a data breach. Depending on the severity of the breach the fines can become substantial.
If your company needs to formally certify for GDPR compliance we recommend IASME Governance. See www.iasme.co.uk/iasme-governance/iasme-governance-audited for more information
Do I need to comply?
What is GDPR?
The GDPR is a new set of rules that define how a company collects, stores and shares Data to and from EU Citizens. It is designed to ensure Companies take reasonable steps to protect Data or risk severe penalties - up to 4% of turnover.
What will happen if I don't comply?
Now the GDPR is operational there is nowhere to hide should you suffer a Data breach. By law all Data breaches must be reported to the certifying authority (The Information Commissioners Office). Companies found to be non compliant can be punished via fines or worse.
We have left the EU, why does it matter?
All EU laws have been drafted into the UK's statute books before we left, so any EU laws have become UK laws since we left. Even if the UK change GDPR afterwards we will still need something very similar in place to ensure UK companies meet a minimum level of security.
What does GDPR mean for small UK businesses?
If you store no Data then nothing. However if you maintain any kind of Data storage then GDPR is designed to ensure you've taken at least minimum steps to ensure the Data cannot be stolen or otherwise compromised. For any company that relies on stored Data then this isn't such a bad thing. Most companies that have recognised there is a real threat around internet based security will have most likely already reached some sort of level of compliance.
Does GDPR ensure I have data protection in place?
GDPR is designed to ensure your Data is protected and unusable to outside parties. In complying with GDPR you are protecting company assets and company IP, something that should be done anyway. In adopting GDPR additional systems and procedures may need to be put in place to ensure both yourself and your clients are adequatley protected.
Do I have to change the way I collect and store data?
This very much depends on the way you currently collect and store Data. A specific aim of GDPR is to protect clients' personal Data by pseudonymisation of any identifying Data fields. For example a clients name would be replaced with a unique number rendering the Data record less identifying. This process would be more applicable to large amounts of Data used for analytics though.
General GDPR Advice
Think of it this way. The GDPR is like the UK speed limit. Everone needs to comply. However if your car is incapable of travelling above 30 mph then you can pretty much ignore the speed limit. If your car routinely drifts up to 40 or 50 mph then you need to be looking at the speedometer almost constantly. The GDPR is similar in that a lot of companies don't deal with personal or sensitive data. Those companies need to comply but they don't need to do a lot. Others, mostly ones that deal on a B2C basis should have appropriate guidelines, training and systems in place to show they are compliant.