SMEs need to watch out and act ahead of the new GDPR regulation which is due to come into effect on 25 May 2018. No matter how small you are, you will have to comply with the legislation governing the secure collection, storage and usage of personal information.
What is GDPR?
The General Data Protection Regulation (GDPR) is the new data protection law which provides greater protection for consumers and gives them better control and clarity regarding how their personal information/data are collected, stored, shared and used.
Introduction to the GDPR- What does GDPR mean for my business and me?
The GDPR is a new provision that significantly extends and tightens the current regime under the Data Protection Act 1998 (DPA 1998) in relation to data privacy and data protection.
The Information Commissioner’s Office (the regulator, ICO) will have the power to impose greater financial penalties for non-compliance. All businesses and organisations that hold and process the personal data of individuals must be compliant with the new regulations.
Do you comply with the new data protection rules?
GDPR contains series of new rules that require businesses to revisit and refresh their systems and operations for data protection. Collectively, these new rules lay down a new “Compliance Odyssey” that businesses will have to follow to keep on the right side of the law.
If you’re unsure of whether GDPR applies to you, consider how regularly you deal with personal data – that includes present and past consumers, employees and suppliers, not just customer data. If it’s an everyday occurrence, then you should acknowledge the GDPR. The ICO has also stated that any businesses affected by the DPA will also fall under the GDPR.
Keep in mind that GDPR affects anyone holding data on EU citizens, including those companies which are not based in Europe.
Paramount objectives of GDPR:
- An essential aspect of GDPR is that anyone who manages, process and handles personal data (‘data processors’) have, for the first time, direct obligations. These consist of obligations to: maintain a written record of all data processing activities. Therefore, it is advisable that you designate a data protection officer where required.
- Recording of customers/employees/service-users’ (‘data subjects’) consent will also change significantly. Businesses must ensure that the consent they obtain from data subjects are adequate and GDPR compliant if they are to process an individual’s personal data. The data controller is required to be able to demonstrate that proper consent was given.
- The rules regarding Subject Access Requests (SAR) are also changing significantly. It is certain that the potential penalties for non-compliance with SARs rules will increase substantially under the GDPR (amount yet to be determined by the Government).
- Failure to comply with the new GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for non-compliance but under the new GDPR regime – the ICO will be able to fine up to €20 million or 4 per cent of annual global turnover.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
You must ensure that you learn and follow the rules of the game! If you have any doubt regarding your compliance with the new Data Protection regime then here are some useful tips:
So, what do I need to do to make certain that my business complies with GDPR?
So, there’s a big burden for small businesses to carry – probably far more than they can cope with by using the in-house resources or basic templates available. Where should they begin?
The Information Commissioner’s Office (ICO) in the UK has created a helpful guide that lists 12 steps that businesses should follow through to ensure that they are ready for 25 May 2018.
Below is not an exhaustive list of what you can do but it will give you a good head start:
- Make sure that decision makers and key personnel in your organisation are trained and aware that the law is changing and notify them of any key dates for compliance. Train your staff, IT team, management, security people, etc. They all need to be aware of what the GDPR means for them in practice; and their compliance.
- Audit and complete a risk assessment on any systems you use for controlling and processing data, including those used by third party providers.
- Assess how you communicate privacy information to data subjects; and make sure that your Data Collection Policy is easily accessible. Evaluate what you obtain consent for, and how you get it. Make any changes to systems and processes necessary to follow the new rules.
- If you are a business that collects children’s data – you will need to revise your approach and revisit your safeguarding policies. GDPR is now enforces even greater regulation and protection of children’s and minors data.
- Ensure that you have the procedures in place to detect and investigate a data breach; and also, to report it. For example, do you keep a data breach ledger? Do you know who your whistleblowing champion is? Do you have a professional regulator to report to? If you don’t have this procedure in place, please seek urgent legal advice.
- Be sure that you know how to cope with the most serious regulatory sanctions and civil litigation.
- Consider appointing a data protection officer to oversee ongoing privacy arrangements.
A recent survey held by Thomson Reuters, found that a high percentage of UK business decision-makers are still completely in the dark about the legislative changes and what they need to do to ensure their business is ready. The study also highlighted a worrying statistic which suggests that one in five businesses have done nothing at all towards becoming GDPR-compliant, and a minority fear they won’t make the compliance deadline.
Over half of organisations have yet to obtain expert legal advice on the impact of the GDPR on their businesses. According to another Thomson Reuters survey of 650 UK accountants, 83% have not yet spoken to their clients about the General Data Protection Regulation (GDPR), but plan to.
Last but certainly not least, if you have any doubts regarding the new policies, ensure that you consult a legal advisor. The GDPR is an important change and one that represents obligations; and tensions between business-development and compliance, that must be considered carefully. Putting into place the right strategies and systems can keep your business secure for years to come.
For further information and a free-of-charge initial consultation regarding this topic, please contact Ms Joy Akah-Douglas – Department Head & Solicitor-Advocate; Margarita Synanidi – Legal Assistant, or any of our Hillary Cooper Law Team.