small business guide to GDPR

GDPR is only two months away, which means that a lot of business owners are suddenly scrambling around to make sure they’re compliant before May 25th. At first, it was only the finance and IT industries who were worrying, but now GDPR is at the forefront of every business owner’s minds.

In case you hadn’t heard, GDPR aims to unify and standardise data protection policies, shoring up weak spots and creating a strong base for personal data protection. The regulation provides a single set of rules for all member states to follow (including mandatory security notifications, new rules around user consent, a clearer definition of what could be personal data and greater rights for people to access and request deletion of the information companies hold on them). Essentially, every business in the EU needs to be compliant with these new, stricter rules around data, and we’re here to help you understand what that means.

But first…

The Brexit Question

A lot of business owners are still a bit confused about the whole thing – after all, aren’t we meant to be leaving the EU? If that’s the case, why bother updating everything? Thankfully the answer to that is quite simple. Even if we do leave the EU, GDPR will still apply. This is because not only will many UK businesses still be handling EU citizen data (and therefore be subject to GDPR anyway), but the UK Government has also confirmed that it will be passing GDPR into UK law. So no matter what happens with Brexit – the rules still apply. Sorry!


Asses Your Whole Business

The main mistake a lot of businesses are making is assuming that GDPR only really impacts their IT infrastructure. And while this is one of the bigger areas that GDPR focuses on, the fact is that nearly every area of every business will be impacted by GDPR in some way. There are six main areas that will see the biggest impact, so you need to assess your own and see if you are GDPR complaint. The six areas are:


Legal – One of the most overlooked areas to be impacted by GDPR is your legal department. GDPR requires changes to your contracts, terms and conditions, policy documents and more, not only to reflect the new laws, but to ensure that consent rules are being met at every level. This also means that your legal team (or outsourced legal support) may need to review contracts, and potentially even renegotiate some to include explicit consent and meet GDPR.


Finance – GDPR will hugely influence the way accounting and finance in done in your business. Huge amounts of highly sensitive data pass through external accountants and bookkeepers as well as within your business, so you need to make sure your systems are compliant, as well as the software and businesses you are using for support. Due to the nature of the risk, GDPR threatens to deal out heavy fines to businesses that don’t protect their financial data correctly.


Sales & Marketing – Sales and marketing is another area that will be hit really hard, because it relies on personal information in order to function. Sales people are at the front line when collecting personal data, and marketing departments struggle to function without it. But now, you need explicit consent to gather and use personal data – no more ‘opt-out’ allows, it’s a fully ‘opt-in’ model, and you will need to be able to prove that consent was given too.


HR – GDPR doesn’t just affect the way the business works in an operational sense. It also significantly improves the rights of all employees and customers when it comes to their data. Your employees can now request proof that their data is secure, and can request that you ‘forget’ them by deleting all of their data. This means your HR function needs to be updating contracts to include the use of personal data, ensuring that everyone knows their new rights and implementing the changes.


Paperwork – While we might all be striving towards the idea of a paperless office, the fact is that we’re still a long way off. This means that you need to consider how your office handles the security of data kept in physical form. Where is it stored, and who has access to it? How can you track who has accessed it, and how easy is it to find and destroy if needed. Do you employee a shredding company, or shred things yourself?


IT – And of course, there’s IT. Your It systems are your first line of defence for all of this data, so they need to be bulletproof. Good, secure IT systems are the foundation to a lot of GDPR’s requirements, so you need to make sure you’re are up to the job. If you’re not sure, just ask a cyber security expert to give you a health check.


But don’t worry, you don’t have to do it all on your own. The ICO (Information Commissioner’s Office) has provided a wide range of guides and information, including this data protection self assessment toolkit, to help businesses prepare for GDPR. At Rosemary Bookkeeping, we’re working with a lot of client’s who need to review their financial processes and data to make sure they’re prepared for implementation day. If you need help or support in understanding your accounting software’s policies, or want some advice on getting the financial side of your business GDPR ready, we’d love to help. Just get in touch with us today for your free consultation.