From the 25th May 2018, General Data Protection Regulation (GDPR) comes into force.
Affecting all businesses that have European customers or use data from European businesses, this new EU legislation is designed to give consumers more control over their personal data and how it is used. Small business data protection receives just as much importance when it comes to GDPR.
It is not just the big, multinational businesses that are affected by GDPR, every business, regardless of its size, will have to ensure they comply with the rules set by GDPR. Every organisation which has data from an individual or a business in the EU will need to make sure that it is handling and storing data in a legally compliant way.
While businesses should readily want to conform to GDPR for the protection it brings to their customers; the EU will also impose fines for any businesses that are found not to comply with GDPR. Breaching GDPR means organisations could face a penalty of €20 million or up to 4% of their global annual turnover, whichever is greater. While staying compliant should be enough of a reason, the threat of a fine is undoubtedly helping businesses to prioritise data protection.
For small businesses such as health clubs and gyms, it is understandable that GDPR can feel overwhelming. Despite the complexities of GDPR, some simple tips can help with your small business data protection. When it comes to protecting membership data, here are our top tips to help make GDPR compliance easier.
Tips for small business data protection
By now many small businesses such as health clubs have begun to identify where their data is stored, how it is stored and what the current access levels are.
After assessing their data funnels and process, many organisations are now in the process of asking customers for permission for holding and utilising their personal data. This task may seem daunting, with many customers choosing to decline or not responding. However, this should be seen as a positive. Customers who actively want access to information from you are a captive target audience. You have a willing audience for which to direct your marketing campaigns.
So, you have completed a spring clean of your data and know who wants their data kept and who wants it removed, what should your health club do next?
- Be data clear
Set up your terms and conditions to be explicitly clear about your data processing. Explain what information you collect and what you do with it. Your customers have a right to access their own data; it is wise to set their expectations and how you will help out in a document. As long as you explain your reasons for collating data and make sure that customers give their express permission for you to take their details, then everyone is clear about data.
- Conduct regular audits
It is wise to check the workflow of data regularly to make sure that you are doing what you say you are doing. Make sure that data remains safe, that contracts with third-parties for data are upheld and that you are removing data safely and without risk to the individual. Auditing will help to make your data processing much more efficient. Regular reviews can also help you to spot improvements and will mean you can be confident that you are GDPR compliant.
- Review your IT
IT systems can help to ensure your data is always protected from potential security threats and data breaches. Where possible, consider IT solutions which will help you to protect your data and control access permissions. For example, it may be worthwhile switching to a cloud-based solution to prevent unauthorised access to your data.
It may be worth refreshing your IT policy too, reminding your employees of the importance of best practice with data. Regular password changes and spot checks for locking computers is also a good idea.
- Training and refreshing
Once GDPR finally comes into force, many businesses may neglect the hard work they have completed so far with their small business data protection. It is likely that after an initial training session, some employees fall back into old habits. Make sure that your health club team keeps data protection at the forefront of their mind post GDPR by conducting regular refresher training.
As you get used to the new data protection legislation, you may find improvement and better practices to follow. Whenever you make a change to data protection, keep your team up to speed on what it means and always inform your members about any changes to how you handle their data.