Preparing a small business for GDPR
Preparing a small business for GDPR
The Forum Cinema in Hexham, Northumberland is owned by the Hexham Community Partnership as a community business but run by a separate non profit-making business which helps to sustain the Partnership’s funding. It has been operating for over 80 years and is housed in a splendid Art Deco building. The Forum screens current and classic films and satellite productions, having a capacity of just over 200 seats.
The Forum provides employment for up to 20 members of staff and works closely with many local businesses, suppliers, community groups and schools.
Roger Hancock is a director of The Forum Cinema Hexham Ltd. He knew that with the impending implementation of the new GDPR regulations that he needed to understand what was needed for his company to be compliant with the GDPR regulations.
The Forum’s business model is based on ticket sales and sales from the café. There is a “friends” membership scheme which has about 500 members. Roger’s concerns were over the Forum’s membership database and the prospect and customer database of around 7000 people, and how to make these compliant after the introduction of the GDPR regulations on May 25th 2018. He decided to seek expert advice on data protection issues specifically and how to reconfirm personal data with contacts.
Roger undertook the GDPR Academy online course which he says has clarified the general principles of what the GDPR requires and he now has a better understanding of what data the Forum holds/collects and what actions the Forum needs to comply with the regulations.
Roger wondered what would happen if the Forum was not GDPR complaint. He thinks there is a theoretical risk that if an individual complained and the company was not compliant, that the organisation could be fined and, being not profit-making, would struggle to cope with a fine of up to 4% annual turnover.
As an ex solicitor and former CEO of the Legal Software Suppliers Association Roger knew the importance of having the Forum’s systems and policies in order and of being GDPR compliant before the introduction in May. He needs to minimise the risk of reputational risk to the Forum of any non-compliance.
His main findings from the course were that he:
- Needed to minimise the amount of non-essential personal data held by the Forum
- Where possible data should be held under pseudonymisation (a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms) so that you hold relevant data that you need for analysis but reducing the amount of personal data that you hold to a minimum.
This move to pseudonymisation is a main take-away that Roger has from the course, and that it is important to reduce the risk of data loss as much as possible by keeping personal data stored to a minimum.
Roger liked the GDPR Academy course saying it was “straightforward, easy to follow, informative, making the entire GDPR process much less onerous. It gives a very clear overview of what actions are needed.”
He is now putting into practice policies that the course has highlighted and has greater clarity and insight on the process of informing Friends and mailing list customers of the basis for holding and processing their data and providing an easy opt out if required.
Roger comments: “It’s a very useful course which gives a comprehensive understanding of what is required [for GDPR compliance] and a roadmap for finding out what information you hold and how you should use it in the future to comply with the GDPR regulations.”