As a small business-owner you may have already marked 25th May 2018 in your diary as the day when the European General Data Protection Regulation (GDPR) becomes official. But what exactly is this new piece of regulation meant to achieve and what in particular does it mean for small businesses in the UK, even those who only have a few employees?
Here we look at the key features of GDPR and what you should do to ensure you don’t fall foul of the new law covering the use and storage of personal data.
But first, let’s deal with a question on many business owners lips, namely how will Brexit affect the implementation of GDPR? The simple answer is: not much, if at all. First, the new regulation is due to be introduced before we leave the EU and secondly, all UK companies which employs EU citizens will have to comply with the GDPR after 25th May.
What’s more, the government has already said that the present Data Protection Act will be replaced with GDPR legislation in all but name after the UK leaves the EU.
GDPR: the key points
The main objective of GDPR is to give individuals greater control over how their personal data is collected, stored and used. It is also intended to unify the regulation across the EU. Key points are as follows:
- From 25th May, companies with more than 250 employees will have to have a designated data protection officer who will be responsible for ensuring that personal data is handled properly at all times.
- GDPR also applies to companies with fewer than 250 employees if the business is handling information on individuals’ health, race or ethnicity, religion, political beliefs, sexual orientation, plus any genetic and biometric data. Other conditions also apply.
- Any breach of data should be reported to the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after the event.
- In future, businesses will have to get an individual’s consent before using their data by providing an ‘opt in’ feature. People will also have ‘the right to be forgotten’ by withdrawing their consent or asking for their data to be removed from a company’s files.
- Individuals can request to have inaccuracies about them corrected or their data deleted altogether.
- Parental or guardian consent will be required for any use of data of a child, aged 13 and under in the UK.
Penalties for non-compliance
GDPR is being introduced to ensure organisations take data protection seriously. It’s true that we have rules covering this now in the UK and the ICO already has the power to fine companies up to £500,000 for malpractice or for serious breaches of data they hold. Under the new regulations, however, the penalties could be a lot more severe. Companies found to be guilty of malpractice or failing to comply with GDPR could be fined up to €20 million or 4% of their global turnover, whichever is the highest.
GDPR and smaller businesses
Article 30 of the new regulation states that organisations with fewer than 250 employees will not be strictly bound by GDPR, although as noted above, this will depend on what kind of data you are storing. You should consider how regularly you process and store personal data and whether or not you supply it to a third party for marketing purposes, for example. It’s important to note that the regulation refers to any personal information held about past or present staff as well as your clients and customers.
Before thinking that GDPR is unlikely to affect you, ask yourself if you know how much personal data on individuals you have stored. Do you know where it is stored and how secure is the data, including details you store on a mobile device or in the cloud? Are you equipped to deal with a Subject Access Request (SAR) from a former employee or customer who wants to check what information you have on them once the new regulation comes into force?
Carrying out a data audit and reviewing your current processes before 25 May next year is certainly advisable – and a good way to answer many of the above questions. It may seem a complex task and pretty daunting, but help is available. A good place to start is with the ICO’s own checklist; more information is also available from the GOV.UK site.