Changes to Data Protection Regulations – are you aware?

The new General Data Protection Regulation (GDPR) comes into effect on 25th May and from that date businesses must have explicit consent from all contacts to use any of their personal data. Although the new GDPR rules may appear overkill for small businesses, there is no doubt  action needs to be taken to protect themselves against claims for non compliance. Basically businesses need to be able to show that they have consent to hold and use data and have taken reasonable care to protect customer information.

Business owners need to review what information they hold and if they do not have consent to hold the data or if it is not necessary for their business then it needs to be deleted.

Having identified what information they hold the next step is to decide how this can be protected against either loss or misuse. In larger organisations this will mean restricting who can access data but in smaller organisations this may be impractical, so all employees need to aware of the need to protect data.

Data security will include both physical security such as keeping paper records locked away and protecting computer records by restricting access, encryption or password protection. Particular attention must be taken where data is taken off site on laptops or memory sticks or transferred electronically by email, etc. as this presents a high risk from data loss.

GDPR also gives people the right to know what data is held on them, how and why it is being used. They also have the right to be forgotten if they remove their consent.

Should the worst happen and there is a data breach then the Information Commissioners Office must be notified within 72 hours. They have the power to impose substantial fines where the business cannot show that they have not taken reasonable steps to prevent the data loss.

Cyber Security – New Guidance

It is a sad fact of life that our computer systems can come under attack from hackers or phishing scams. You can never be 100% safe but small business owners can take some common sense steps to protect themselves, especially if they hold sensitive client data.

The National Cyber Security Centre has issued useful guidance on how to keep safe. They have broken this down into five topic areas:

  • Backing up your data
  • Protecting against malware
  • Keeping smartphones and tablets safe
  • Using passwords to protect data
  • Avoiding phishing attacks

More information can be found at

You also need to have contingency plans for what you will do should you be hacked including how you will recover your data, communicate with clients and the data protection regulator.

Data Protection Regulations

The General Data Protection Regulation (GDPR) will come into force on 28 May 2018.

The new legislation will have a big impact on all businesses as they must take extra measures to ensure any data they hold is stored securely. If not they risk severe penalties for data breaches. They must also put in place procedures to erase data where requested to do so. The onus is on the business to be able to prove that they have done this, so they need to keep records. It will also affect businesses who send out unsolicited marketing material. From May 2018 they will need consent before sending mail-shots, whether by email or post.

If you would like to sign up or keep receiving our quarterly e-newsletter, please give your consent here.