Chartered Accountants and Professional Business Advisers

The General Data Protection Regulation (GDPR) comes into full effect on 25 May 2018 and will affect every type of business.

Whether this is the first time you’ve heard of GDPR or it’s already on your radar, it’s important to understand how it will affect your business, and what steps you must take to ensure you’re ready in time. The new rules will cover every business, from sole traders to large multinationals, including not-forprofit organisations.

GDPR is essentially a beefed-up version of the Data Protection Act, but it also encompasses some new areas. To comply with the rules you will need to consider what personal data you hold and why, how long you keep it for and whether it’s stored securely.

What data do you hold?

Firstly, carry out a ‘data audit’ to understand all the information you hold that is covered by GDPR and where it is. This will include your internal records and your client or customer records, both electronic and physical. The rules cover anything ‘personally identifiable’, meaning anything which can be linked to an identified or identifiable person. Identifiable means things that can be used to identify someone like an IP address or phone number. Often, data will be on a form that contains some personally identifiable information and it’s not practical to split it out.

Why are you holding the data?

You then need to establish whether you should legally be collecting and holding the data in the first place. Customers have new rights to know what you hold and to request that it’s deleted.

How long should you hold data for?

There is often a legal obligation to hold data, but after this period you need to think about whether you have a valid business case for retaining it. This may mean securely destroying physical records or deleting electronic files.

Where are you storing the data?

To protect physical data you must ensure that your building is secure, and that data is not maliciously copied. So you may need a clear desk policy or secure storage areas to ensure contractors or visitors can’t see or photograph information. If you keep data in an off-site location, check whether the third party is also protecting it under the GDPR. In case you lose a laptop or mobile phone you should make sure it’s encrypted or can be wiped remotely.

Normal emails are not secure so you may need to consider encryption. The onus is on the sender of the data, but you may also want to give your clients the ability to send you things securely.

Stand out against the competition

The silver lining is that while GDPR may be burdensome, it may allow you to showcase to your customers how securely you look after their information – and this could be an opportunity to stand out.