The European Union has signed into law the GDPR and now it is just one month away from coming into force. Every small business needs to understand GDPR and the effect it is going to have. We have put together a small business guide to GDPR to help your business be better prepared for the incoming regulation.
Disclaimer: This article or any other page on this website is not legal advice for your business to use in complying with and EU laws such as GDPR. Instead, we are providing background information to help your business understand the key areas of GDPR.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new European Union Regulation replacing the EU Data Protection Directive. Its main aim is to significantly enhance the protection of EU citizens personal data. It also focuses on updating laws on data breaches and adds harsher penalties for violations.
When does GDPR come into force?
The GDPR comes into force on 25th May 2018.
Does it affect my small business?
If your business processes personal data of any individual in the EU, then GDPR will affect your business. The regulation is designed to protect the right of EU citizens, so it doesn't matter where your business is based if you process data of individuals in the EU GDPR will apply.
This will continue to be the case for UK businesses even after Brexit. The UK government has committed to introducing a new Data Protection Bill which will account for GDPR.
What are the GDPR fines and penalties?
The early GDPR headlines focused on the hefty fines that could be imposed. The maximum fine that can be handed out is 4% of annual turnover or €20 million, whichever is greater.
The Information Commissioner’s Office (ICO) is the UK’s independent authority enforcing GDPR, have already attempted to play down fears of massive fines being handed out.
A blog post by Elizabeth Denham, UK Information Commissioner, said.
"This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point."
This doesn't mean the ICO will sit idly by though.
"Heavy fines for serious breaches reflect just how important personal data is in a 21st-century world. We intend to use those powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective."
How can my small business prepare for GDPR?
Here are some key points your business can focus on to get ready for GDPR.
• Get started: GDPR is one month away so by now, your business should have started to ensure compliance with GDPR. Becoming compliant could take time so don't leave it to late.
• Segment your data: It's important your business understands what data you process and store. Segment data that is customer-related, employee-related and any remaining personal data (prospective clients etc). By carrying out a data audit you should be able to identify the data held across your business, how it is processed, who has access to it and where it is stored.
• Manage your data: A large part of GDPR is the focus on an individual's rights regarding their data. Businesses will need to be able to manage their data, so they can access every single piece of an individual's data. If an individual makes a request to have their data removed (in line with the right to be forgotten) you need to be confident your process will remove all of that individual's personal data.
• Update your procedures for reporting a data breach: In the case of a data breach, your business will need to have a process in place to be able to report this to the ICO and any individuals affected by the breach. This must be done within 72 hours of becoming aware of the breach so your process needs to be smooth and well tested.
• Review your cybersecurity: The ICO website states: A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures'. Review your businesses cybersecurity and to make doubly sure speak to an IT security expert and have them assess your cybersecurity.
• Examine your existing standards: Your preparations for GDPR shouldn't be starting from scratch. Evaluate your existing standards regarding data security. GDPR is an extension of the existing EU Data Protection Directive so there will be areas where your business is already covered.
GDPR mistakes to avoid
• Don’t wait and see: Don't wait for GDPR to come into force before working towards compliance and certainly don't think your business size means no one will care if you are compliant or not. If your business is in breach of the regulations after 25th May, you won't be able to claim you were unaware the legislation was coming.
• Don’t confine awareness to one person: GDPR is going to be a company-wide issue. Whilst you may want to have one person in charge of compliance, your whole company will need to be aware of how GDPR affects your business. For example, employees need to know what constitutes a data breach and who they should report a potential breach too. Anyone who handles data in your company needs to be fully educated on how they must process that data within the GDPR.
How technology can help with GDPR
Yes, GDPR is going to involve a lot of work for your small business but it can also be a good opportunity. It's a chance to improve your cybersecurity which is already a massive issue for small businesses. New technology may be needed to give your business a better understanding of where data is at any given point or to better secure the personal data you store.
Any personal data stored in databases within your business can be encrypted to further safeguard that data. The ICO website has this to say about encryption:
For a number of years the ICO has considered encryption to be an appropriate technical measure given its widespread availability and relatively low cost of implementation. This position has not altered due to the GDPR — if you are storing personal data, or transmitting it over the internet, we recommend that you use encryption and have a suitable policy in place.
GDPR in summary
Whilst potential fines have been hogging the headlines, GDPR is focused on the rights of individuals. How - we as businesses - process, share and store that data is of paramount importance.
Cybersecurity is an important part of GDPR and is of importance to any businesses. Having to focus on the security aspects of GDPR can help a business better protect themselves from the threat of cyber attack and data breach.
GDPR shouldn't be seen as more work for your business to do, but more as an opportunity to update your business processes and greater improve your focus on the data your business holds.