Have you heard of GDPR?
Many small businesses owners are still in the dark about the EU’s General Data Protection Regulation (GDPR). You might have heard rumblings about it, but assumed that it’s not going to affect you, especially in light of Brexit. And you might be right –– depending on how you run your business, it might not be that big of a deal. However, with hefty fines for those who are found to be non-compliant, you can’t afford not to do your research.
Hang on, what’s GDPR again?
The EU General Data Protection Regulation is a new law that will come into force on the 25th of May 2018.
The aim of the law is to give EU citizens more control over how their personal data is used by businesses. It will affect anyone who collects, stores, and uses the personal data of their employees, their suppliers, and their customers. Compliance will be mandatory for companies with over 250 employees but if you’re a smaller business, don’t break out the champagne just yet.
Any business that regularly handles personal data (including health information, religious or political affiliation, sexual orientation, and ethnicity) will still have to comply.
Companies will have to appoint a Data Protection Officer and commit to reporting any data loss to the ICO (Information Commissioner’s Office) within 72 hours of the breach. Consent will now have to be obtained for any personal data that your business will collect, store or use and it will be illegal to use previously gathered data if consent was not obtained at the time.
The risks of non-compliance.
That hefty fine mentioned earlier? It’s a big one.
Anyone found to be in breach of the act could be fined an eye-watering €20 million or 4% of their annual turnover — whichever is greater.
Wait a minute. What about Brexit?
This is an EU law, so surely Brexit will mean that we can ignore the GDPR after all?
In a word, no.
The law will come into effect in May 2018. We are not due to leave the EU until March 2019, so you will have to comply. Even after our official exit from the EU, the law will protect the data of all EU citizens, whether the information is obtained by a business within the EU, or elsewhere. The UK government also plans to replace the 1988 Data Protection Act (DPA) with new regulations, which will echo those of the GDPR.
If you don’t know where to start…
Clearly, this is something that’s not going to go away so it is worth putting together an action plan now. So what should you do to start?
Do your research.
Your first port of call should be the ICO, where you can register as a data controller and find more information on the steps you need to take to comply with the new law.
Update your procedures.
It’s important you start looking at how you currently obtain personal data and seek consent. Have a look at your privacy policies and make any changes necessary to ensure GDPR compliance. Consider too, how you would proceed in the event of a data breach, and train staff on the new procedures.
Audit your information.
It may be time-consuming, but it needs to be done. As the law applies retroactively, any data obtained in the past can’t be used unless you have consent, so you need to do an audit to help you figure out where you stand with your current records.
Update your security.
You need to make sure that are storing data securely; this applies equally to your technology and your premises.
So ask yourself, are your firewalls and anti-virus software up-to-date? Are you and your staff changing your passwords regularly? Are you backing up your records regularly? Have you considered using anti-spyware programmes and encrypting personal data? Are your premises as secure as they need to be? Are your computer monitors facing away from windows? Are you shredding old documentation?
Unless you have a spare €20 million stuffed down the back of your couch, as a small business owner, GDPR is not something you can ignore.
But it doesn’t have to be something to fear either. If you act now and start implementing some of the ideas we’ve mentioned here, you will be ready in plenty of time for the introduction of the new regulations.