The new European General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It’s a key date for businesses in the UK, large or small because compliance with the new stricter regulation is mandatory and fines are tougher than ever before.
It’s worth pointing out that the UK will continue to be committed to GDPR after we’ve left the European Union – Brexit will make no difference to the need for compliance. Any Data Protection Act that comes into force after Brexit will directly mirror GDPR provisions.
In a nutshell, GDPR comprises the following main provisions:
- Businesses who routinely process extensive personal information or large amounts of personal data must employ a Data Protection Officer (DPO) whose role it is to deal with any data protection queries and ensure compliance with GDPR.
- Individuals will have far greater rights about how businesses use their data. This may include the ‘right to be forgotten’ and have their data erased unless the company can show legal grounds for continued use.
- The new regulations will apply to any business processing personal data, including smaller businesses with less than 250 employees. Any data breach that impacts the rights of data subjects must be reported to the Information Commissioner’s Office (ICO) within 72 hours maximum.
- Failure to comply with data protection legislation currently carries a fine of up to £500,000 by the ICO but businesses in breach could be charged up to €20 million (or 4% of turnover) under GDPR. Businesses can be sued by individuals suffering as a result of data mismanagement.
Is GDPR relevant for your business?
GDPR is built around two key principles. It is designed to give people more control over their own personal data, and it simplifies and unifies regulations for businesses across the European Union (EU). The provisions will apply to any business that processes personal data of EU citizens including customer, supplier, partner and staff.
If your company collects and deals with such data on a regular basis, whether it’s from your mobile phone, on a spreadsheet, a computer network or in a cloud-based CMS, you’ll need to comply with GDPR. If you’re not sure about your company’s situation, or how to go about becoming compliant, you should take advice from an experienced IT lawyer.
As a small business, it’s worth going through the checklist below to make sure you’ve taken account of all types of data subjects, including past and present employees, suppliers and customers, whose data you’re collecting, storing and using.
- You must demonstrate an understanding of the type of personal data you hold, how it is collected, how it is being used and where it is going. This includes name, contact information, bank details, email and web addresses and images, as well as sensitive or special data such as religious beliefs or health details
- Are you relying on consent to process the data, for example as part of your marketing campaigns? If so, these activities may become more difficult because, under GDPR, consent must be clear, specific and explicit.
- In order to be GDPR compliant, you will need to show that robust security measures and policies are in place. Review your internal processes and systems and consider the broad use of encryption as an added layer of data security.
- Subject access right under GDPR will give citizens the right of access to all their personal data, correct mistakes, prohibit their use in some circumstances, or ask for their data to be deleted. Access requests must be dealt with within a 1-month timeframe, so make sure you have sufficient resources in place.
- Make sure your staff are trained to recognise and report data breaches as soon as they occur. Where necessary, build up or reinforce your internal processes including staff responsible for data protection compliance.
- Carry out due diligence on your supply chain and ensure that your suppliers and contractors are GDPR compliant too, if necessary by reviewing contract terms. This will protect your business from any adverse effect arising from data breaches occurring elsewhere.
- Check whether you are required to employ a DPO. Many small businesses will be exempt from this requirement unless your core activity revolves around ‘regular or systematic monitoring of data subjects on a large scale’ or ‘processing large volumes of special category data’.
While it may seem onerous to have to review your systems and process in order to comply with the new legislation, you can view GDPR as an opportunity to shore up your competitive advantage, adding value to your business.
If you can convey the message that data protection is important to your business, that GDPR compliance is not merely an inconvenience but that you take the personal data you hold extremely seriously, your company will earn market trust and respect. No-one likes having their personal data lost or stolen, damaged or abused. The way you handle yourself with integrity may well give you a unique selling point.