2018 and well upon us now so no excuses when it comes to the challenges facing small and medium sized business – yes there is Brexit, access to finance, changes to pensions and many more but remember the date May 25th 2018 – the day when the European General Data Protection Regulation ( GDPR ) comes into force.
So as a business owner what does GDPR mean for my business and me? The simple answer is that it means a lot, because all businesses (big or small) will have to comply with new regulations regarding the secure collection, storage and usage of personal information. What’s more, violations will be met with fines!!
But let’s start at the beginning with ‘what does GDPR mean’. The 2 main objectives of GDPR are:
- to give citizens and residents back control of their personal data, and,
- To simplify the regulatory environment for international business by unifying the regulation within the EU.
Overall the legislation has been introduced to encourage companies across the EU to think seriously about data protection. But beware if you think you can ignore it; GDPR also comes with some fairly harsh penalties for those that do not comply with new regulations. What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
Another point to remember is that although the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. Matt Hancock (the UK digital minister) has confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
The key stipulations of GDPR are:
- Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
- GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
- Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).
I am very aware that there is a lot of noise and heat being talked about the legal side of GDPR, quite rightly so. But that is not the whole picture.
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data – and that includes present and past employees and suppliers, not just customer data. Understanding the type of data that will be affected under the GDPR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many smaller businesses running into trouble.
When you understand where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data.
You should also be prepared for Subject Access Requests (SARs) – a request under the DPA used by individuals who want to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.
So in practical steps what should you do? The UK’s Information Commissioner’s Office (ICO) has created some great checklist and information booklets. Initially go through the 12 steps they recommend. This will give you a great starting point for you to put the necessary changes into place. If you want to know more about the GDPR, then here is the link to the ICO’s guide here a longer read but very comprehensive.