GDPR – What does it mean for SMEs and how do you prepare?
This blog was originally published on LinkedIn on 29th November 2017.
The General Data Protection Regulations will be implemented on the 25th of May 2018. These regulations will have a huge impact on how organisations, regardless of size, handle, process and store personal data.
Collyer Bristow (a leading UK law firm) carried out a research study with 460 senior decision makers working for SMEs in the UK and they discovered that 55% of small businesses had not heard of GDPR. When the rules come into law all businesses operating within the European Union (or working with businesses and public sector organisations within the EU) will have to adhere to these rules. They will be replacing the existing 1995 EU Data Protection Directive. The new regulations will see data protection law harmonised across Europe as well as providing greater rights and stronger protection for individuals.
A survey carried out by Yougov also showed that 38% of decision makers were not aware of the new rules nor the potential fines they may carry and that the main problem for SMEs is a lack of awareness. With a lack of awareness naturally comes a lack of preparation. The EU governing body for the regulation will not accept ignorance as an excuse and non-compliance with the regulations may result in a fine of €20 million euros or 4% of the company’s annual turnover, whichever is higher.
The first thing for SMEs is not to panic and to seek more information about how they may be affected by the new legislation, from articles by the ICO (Information Commissioners Office) or from speaking to a consultant that can help small businesses prepare for the legislation. There is often a move by many to pray on the fear of small businesses but bear in mind, this legislation has not been created to bankrupt small business but to harmonise existing legislation and protect the rights of our customers.
There are three major differences from the existing legislation that SMEs need to prepare for - changes in accountability and compliance, changes in an individual’s access to their own data and the introduction of GDPR fines.
When the regulations come into law your business will be more accountable for the handling of personal information. Ways to address this include implementing a data protection policy and creating documents setting out the process for how data is processed within the company. If you have collected personal information or information of a sensitive nature and this information is lost, destroyed, altered or there is unauthorised access to this data then you must report it within three days to the ICO and to the person the data is regarding. An individual in some scenarios must provide their consent to have their data stored and processed.
An individual’s right to their data
As well as providing organisations with new obligations, GDPR gives individuals greater power to access the information you store on them. Requests for the information stored on an individual will now be free of charge and businesses must be able to provide an individual with all the information stored on them within a month. Individuals will now also receive the right to be forgotten, where they can request to the information stored on them to be deleted if it is no longer necessary for the purpose it was collected, consent is removed by the individual to store it, if there is no legitimate interest and if it was unlawfully processed.
Having already gone over the fines above we want to reiterate that the purpose of the legislation is not to cripple businesses. Elizabeth Denham, Information Commissioner of the ICO, states that "We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways, but we've always preferred the carrot to the stick".
We can help businesses prepare for the implementation by offering a GDPR audit and by providing training to your team to ensure you never let your customers down and never face these potentially severe fines. Please visit our website for further information.