GDPR – What does it mean for my business?
With the introduction of GDPR and all the new regulations that have come into play, we wanted to look more closely at the regulations surrounding issues of secure collection, usage and storage of personal information.
As a small business owner, you will know that GDPR (General Data Protection Regulation) has impacted on all businesses in Europe, but, like many others you may still have some questions as to what it means in real terms for you moving forwards as a business. GDPR does recognise that small businesses do need to have the ‘small’ taken into consideration and the positive news is that there are some differences in treatment between smaller companies and very large scale enterprises. The information Commissioner’s office (ICO) has put together a useful guide that you can view here. However, we will pick out some key points below to help you make sense of the new regulations.
GDPR – what is the objective?
GDPR was put into place for a number of reasons, but, essentially it was to encourage companies across the EU to start thinking seriously about data protection. It set out to give people back control of their personal data and also to simplify the regulatory environment for international business by unifying the regulation within the EU.
What are the key parts of GDPR that impact on small businesses?
Small businesses are classed as ‘under 250 employees’ in the new GDPR regulations. Some of the rules don’t apply in the same way as they do for larger enterprises, but below are the key stipulations for all small businesses to be aware of – we would suggest even if you do fall below that 250 mark that you still ensure you are compliant anyway.
- The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR in the UK and any breaches in data security must be reported immediately to them. Ideally, breaches should be reported within 24 hours where possible but they should be reported at least within 72 hours.
- Article 9 will affect small businesses (including those under 250 employees) if any processing carried out by the company is likely to end with a risk to the rights and freedoms of data subjects. If any data processing is regular instead of occasional, or if it includes any special categories of data (as defined in GDPR) then rules must be followed.
- People now have the ‘right to be forgotten’. This essentially means that if they withdraw their consent to the use of their personal data you must no longer keep any record of it, or, if keeping that data is no longer required you must also delete it. Only store data which is absolutely necessary.
How does BREXIT affect GDPR?
Good question. Although the UK has voted for Brexit and to leave the EU, any companies or businesses’ handling data of EU citizens or that have the potential to identify any EU citizens will still have to comply with the regulations set out by GDPR. Not only that, but it’s worth noting that Matt Hancock (the digital minister) has said that the UK (post-BREXIT) will take steps to replace our old 1988 Data Protection Act to bring it in line with the new GDPR legislation anyway. So, it is worth putting the correct regulations in place in your small business now so that you are prepared and won’t risk facing hefty fines.
What could happen if you don’t comply with GDPR?
If you regularly deal with people’s’ personal data – whether that is current employees or past employees and suppliers too, you should be abiding by the regulations set out by GDPR. Failure to follow the rules set out in GDPR comes with some very harsh penalties on the business concerned.
Not only that, but individuals now have the right to sue for compensation if they think their data hasn’t been handled in line with the regulations. Subject Access Requests (SARs) are requests that can be used by individuals who want to see a copy of the information an organisation holds about them. Because of their ’right to be forgotten’ as a company you will need to be able to identify an individual’s personal data and then erase it all.
Ideally, there would be perfect solutions in place to secure all personal data under a strict security framework. However, many small businesses can run into trouble if these processes are not put in place and employees can often have a significant amount of non-secure personal data that could become identifiable and put your business into trouble. Failure to comply with GDPR can result in severe punishments. For example, under the current data protection rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice. Now, with GDPR, the fine is significantly higher. The ICO have the ability to fine up to €20 million or 4% of the company’s annual turnover (whichever is higher).
So, what steps can you take to ensure you are GDPR compliant?
The first real step is to discover all of the data you currently hold. Every single piece of personal data needs to be identified so that you can take steps to properly secure and protect it, or, delete it if an individual requests that you do. It may be a time-consuming and complex task but it is the only way to really ensure you are being compliant with GDPR. Once you have identified all the data you hold, you can start to put robust systems in place moving forwards to protect personal data. Data on cloud services or on mobile devices still count and need to be protected accordingly. Technology that can thoroughly discover your data can be a great solution and might be a good place to start.
Whatever your position on data collection, as a small business owner it is good to be aware of the regulations that GDPR has put into place so that you can make sure you are following the rules and avoid unnecessary risks or hefty fines if you are found to be committing breaches of data.
by Mahshid Javaheri
After working as a solicitor for 3 years, Mahshid joined Legafit.com as an Editor and contributor of legal content. Mahshid is passionate about connecting practicing lawyer with the wider business community; she helps lawyers create and distribute insightful and actionable legal content that delivers value to businesses, whilst showcasing the lawyers’ expertise.