General Data Protection Regulation (GDPR) comes into force on 25 May 2018. By that date all UK businesses handling personal data need to ensure that they comply with the new regulations – failure to comply with the regulations could mean hefty fines and reputation damage. As the date gets closer, have you made the adjustments you should make ahead of GDPR?
What is GDPR?
GDPR is a new European Union regulation which applies from 25 May 2018. GDPR aims to ensure that people’s personal information is used securely and responsibly by organisations, business or government. GDPR therefore sets out important privacy and data protection requirements. All businesses which market goods or services to EU residents, regardless of location, need to comply. If caught in data privacy breaches, non-compliant firms can face fines of up to 4% of annual turnover or £17 million.
The rules replace current laws – the Data Protection Act (DPA) 1998 – about how firms protect citizens’ personal data. It aims to bring pre-smartphone and pre-ecommerce data protection legislation up to date. The government has indicated that Brexit will not have any effect on the need to implement GDPR.
Will GDPR apply to my business?
GDPR applies to all UK businesses which handle personal (both customer and employee) data – this includes firms of all sizes and in any sector. Whether you have a small fraction of the data dealt with by larger firms, SMEs will still have to put in place the same procedures. Firms should already be compliant with the existing DPA 1998 so it should be a case of updating the measures you are already taking.
Most businesses will have been preparing for GDPR for a while though there are a number who are still lagging behind. The Federation of Small Businesses recently reported on research which revealed that:
- 33% of small businesses had not yet started to prepare for GDPR
- 35% were still only in the early stages of preparation
The two sectors identified as the least prepared are hospitality and arts & entertainment.
Here’s what businesses need to do:
- Determine whether your organisation processes personal data and as a “data controller” or “data processor”, or both; each has its own requirements. If you are unsure, you can consult the Information Commissioner’s guidelines.
- Be clear about the terms. For example, ‘Personal Data’ means data which can relate to a person who can be identified from that data; ’Data processing’ includes the collection, storage and sharing of data.
- Draw up a checklist of all the relevant areas which need reviewing where data protection laws could apply – e.g. customer information, staff records, CCTV etc.
- Identify the additional measures needed. For example you may need to include additional statements when collecting personal data, to amend your existing data entry forms or add extra security measures such as more effective digital firewalls.
When implementing GDPR, remember that the overall aim is to be transparent and secure in the collection, storage and use of data. It’s important to be compliant with GDPR if businesses are to avoid the penalties. You can also take the opportunity to communicate with existing customers about the security of their data – especially important in light of recent high-profile breaches of data security.
Small businesses with low volumes and complexity of data shouldn’t need to invest in extra resource apart from possibly for conducting initial due diligence and putting any updated measures in place. However, remember to include GDPR-compliant practices in your on-boarding and training of new staff.
The Information Commissioner’s Office provides practical advice for small businesses here and can be consulted for further information.