At Turner Little, we specialise in helping small and medium sized businesses set up, maximise their chances for success by securing the best financial deals and advise on everything from trade mark and copyright protection to regulatory compliance.
In this blog we’re looking at the upcoming deadline for GDPR (General Data Protection Regulation) compliance. Figures show that just 29% of small businesses and 41% of mid-sized businesses across Europe have taken the necessary steps to comply with GDPR.
If your business isn’t yet ready, then it’s definitely time to instigate changes to your procedures. However, it’s best not to panic and rush into making errors that could cause problems for your company later down the line. Here are five mistakes to avoid as you gear up for GDPR.
-
Don’t make rash decisions
There is currently much media attention on GDPR compliance, which can lead companies to jump the gun and make poor decisions. For example, British airline Flybe were so keen to prepare for GDPR that they sent out an email to their entire customer base, including those who had unsubscribed, thereby violating the Privacy and Electronic Communication Regulations (PECR) law and ending up with a £70,000 fine.
If you don’t know what you need to do to comply with GDPR, don’t do anything until you have investigated. Keep in mind every compliance standard as you make the changes so that you don’t unwittingly violate another one.
-
Do take a fragmented security approach
Complying with GDPR means a comprehensive approach to security. This should not only focus on technological security, but also that of people, processes and governance.
A recent report shows that 26% of companies in the EU that claim GDPR compliance are only focused on IT measures, such as data breach notification and consent. These IT processes aren’t the only way to protect a business from audit penalties and security problems.
The new legislation should be used as a chance to revisit the basics on improving cyber security across the entire IT infrastructure of a company. You must know where sensitive data is stored, who can access it and which software is the most critical to your business.
-
Be proactive, not reactive
A positive approach towards GDPR is needed. It’s all too easy for an IT security department to be reactive to new compliance requirements and lack a strategic approach to cover them for the long-term.
IT departments must be able to prevent data breaches and respond quickly to the customer’s rights to be forgotten, for example. They must also be able to comply with all the GDPR requirements, regardless of their day-to-day levels of troubleshooting. If your IT department is understaffed or you don’t have employees with the necessary training in security protocols, now is the time to rectify it.
-
Don’t put all responsibility on to IT
Compliance requires a cohesive approach from across the business and should not be seen as just the IT department’s problem. A risk report from Netwrix IT showed that 65% of organisations have experienced some form of security problem, and most of these were down to human error and malware.
All employees who deal with sensitive data (this should include marketing, accounting, legal and sales teams) must be trained on cyber security policies and procedures. In broad terms, the entire business culture should put personal data privacy and security front and centre.
-
Don’t be too radical
Some companies have chosen to delete all customer data that could be construed as sensitive in order to seemingly eradicate the risk of non-compliance with GDPR. This seems unnecessary and won’t remove the obligation to report to auditors anyway. All it will do is get in the way of doing business. Auditors want to see a strategic plan for compliance, so companies must be able to demonstrate they’re on the right track.
GDPR has been introduced to force businesses to be more cognisant of the customer data they hold, and to stop viewing it as a revenue goal. Customer rights are being balanced with the changes, as businesses will have to be more respectful of their rights to privacy.
It’s a good opportunity to reassure customers that your business cares about them in real terms, by demonstrating careful handling of their information. This will mean stronger customer loyalty in the long term.
About Turner Little
Founded in 1998 in Yorkshire, UK, Turner Little is a specialist UK and offshore company formation, banking and corporate services provider. Our services include company formation, UK and offshore banking, asset protection, credit correction/repair, trademarking and trusts. Other services include Internet services, mail forwarding, wills and probate. Turner Little’s vision is to offer the best possible service, together with market leading products.
