[BreachExchange] The new marketing laws that your business needs to act on NOW
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Apr 27 19:29:12 EDT 2017
http://startups.co.uk/the-new-marketing-laws-that-your-
business-needs-to-act-on-now/
Does your business engage in email marketing? Have tick boxes on its
website? Or do you store information about your customers?
Then you’ll need to prepare for the general data protection regulation
(GDPR) which comes into force at the end of May 2018.
While there are some exemptions for small businesses – for example, only
organisations of over 250 people need to appoint a data protection officer
(unless they’re in the data management business) – broadly speaking, small
businesses will need to comply with the new regulations.
But what are the new regulations anyway?
GDPR requires that any organisation that collects data from EU citizens –
or stores data in the EU – adhere to the new data law. This law increases
the powers of data regulators. It grants individuals greater rights to
access and control the data any organisation has on them.
It introduces substantial fines for organisations that misuse data or that
cannot provide evidence of permission to use a person’s data for a specific
purpose. The term ‘personal data’ will expand to include details like our
IP address and any data stored in cookies from sites we browse.
The introduction of GDPR will require organisations of all sizes to
evaluate and change the way they use, share and store data if they want to
avoid hefty fines (which can reach up to 4% of global turnover).
What should small businesses do to prepare for GDPR?
1. Assess current data collection and storage processes
GDPR will require all organisations that use or store the data of EU
citizens to be able to trace where they capture date, to define how they’ll
use it, and to ensure the security of the data. Small businesses need to
take this time to assess their current data collection and management
processes before the new law comes in to force.
2. Review and overhaul data security
What risk management processes do you have in place? How securely is the
data stored? Can it be copied on to a USB stick? Is it on a spreadsheet
that someone could easily print out, screenshot or take a picture of on
their phone?
You could have a secure database, with stringent access protocols, but all
of that is made redundant if someone can just take a screenshot of the
data. Any security solution you have in place must guard against this.
3. Ease of permission change
How is your data stored at the moment? Most small businesses tend to store
data across spreadsheets – both in the cloud and stored locally (on
people’s computers and the company server). But how easy is it to revoke
access? You may be able to edit access rights to the file on the server,
but what happens to the copy someone made on their personal USB?
GDPR means that businesses need to get tough on access rights. Get a system
in place that means the documents are stored in one place, and that gives
you control over who accesses it, where they can access it, and how long
they can access it for.
4. Tracking access
With permission management in place, you should be able to track who is
accessing your data. Your sales team will need to access their lead-gen
list, but can you tell where they are accessing it from? If your star sales
person is accessing it from his mobile, on his day off, in the offices of
one of your competitors, that’s something you’d want to know.
5. Inform and educate your team
Don’t assume that everyone on your team knows about the new data laws, or
understands how it affects their work. Inform, educate and train your team
on the correct use of data.
If someone accepts your connection request on LinkedIn, that doesn’t mean
they’ve agreed to be put on a mailing list. Yet a practice that is simply
rude and annoying at the moment, will go against GDPR rules in a few
months. It’s best to get your whole team following best data management
practices now.
6. Develop a culture of privacy
Privacy is a major concern for UK consumers. GDPR will require that
organisations make it easy for those they store data on to access and
delete their data. Despite the fact that the law only applies to
organisations over 250 people, and only to those that deal with the data of
EU citizens (or store data in the EU), all organisations will need to take
notice.
As more organisations focus on consumer data rights, people will expect the
same level of service from any organisation they do business with. Any
business that develops a strong culture of privacy will benefit when GDPR
is introduced.
7. Simplify processes
Be transparent with customers from the outset. Be clear about what data you
need from them and why. Set up a simple process for them to manage the data
you hold on them – it should be simple for them to delete their data or
transfer it to another organisation.
You might want to provide customers with their own digital storage –
something that they can access to check on, edit, copy and delete their
data. The data deletion process must be quick and easy for people to use.
Many smaller firms won’t be directly affected by GDPR, but in the
long-term, all organisations will need to re-evaluate their data management
processes. Once larger organisations get to grips with the new data
regulations, people will expect to manage and control their personal data
to a greater degree than they do at present. Small businesses will need to
change the way they manage data, or risk being left behind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170427/a448436d/attachment.html>
More information about the BreachExchange
mailing list