The General Data Protection Regulation, better known as GDPR, came into force in May 2018. Does your business meet the new rules?
The aim of GDPR is to improve individuals’ control over their own data and their right to privacy. As a result, the new rules (implemented in the UK as the Data Protection Act 2018, or DPA 2018) require greater controls by companies who hold and process personal data.
Personal data includes email addresses, names, phone numbers, postal addresses etc., so if you have customers, suppliers or staff, you probably handle personal data, too. However, many smaller businesses still don’t understand how the law applies to them. Some incorrectly believe that they are exempt, others just don’t know what to do. Complying with GDPR can actually be quite straightforward and will be a benefit to your business – showing customers that you take their privacy seriously and ensure that you only market to customers who are interested in what you sell.
The Information Commissioners Office (the ICO, ico.org.uk) is responsible for the new law in the UK and it has produced a lot of useful information specifically for smaller organisations. Based on this guidance, we’ve produced this handy 8-step guide to help you get in line with the law.
The ICO has produced a self-assessment checklist specifically for small business owners and sole traders. Once you’ve answered 8 easy questions, the assessment provides tips and resources to help you fill any gaps in your knowledge or processes. You can find the ICO self-assessment here.
You must make and keep a record of the personal data you hold and why you have it. “Personal data” means any information by which a person can be directly or indirectly identified. And, remember that the regulations apply to any information you hold on your staff (such as pay or personnel records) as well as customers, suppliers and sales leads.
There are 6 lawful bases for processing personal data. You need to identify the most appropriate basis for your situation and keep a record of what it is. Use this interactive tool from the ICO to help determine the most appropriate lawful basis in your case.
People have the following 7 rights over the data you hold about them. You should have a plan for how to deal with any requests.
Do you clearly tell people why you need their data and how you will use it? You may need to update your site’s privacy notice to comply with the new rules. The ICO offers a template privacy notice for small organisations, here.
Remember the rules cover paper records as well as digital data. Secure your business premises and lock up your records. Ensure that only authorised people have access to personal data. Make sure you use passwords and encryption to protect electronic data and check out your cyber-security. The ICO has a useful information security self-assessment here, and a guide to data security here.
Make sure you know what to do if you break data protection rules. Have a process to follow to deal with any breach. If you are unsure whether you have had a breach, check the ICO’s Report a Breach webpage, or call its dedicated personal data breach helpline: 0303 123 1113.
Finally, make sure you stay informed about data protection. Rather than following scare stories in the media, it makes sense to use reliable sources like the ICO. Here are some other useful resources to review:
Simply complete the form to receive valuable info and actionable tips for your business. Plus, you'll hear from fellow merchants who use PayPal to help reach their goals.
If you accept cookies, we'll use them to improve and customise your experience and enable our partners to show you personalised PayPal ads when you visit other sites. Manage cookies and learn more