The introduction of GDPR has been described as the most important change in data privacy regulation for two decades! It is likely to hit all businesses hard, but small businesses are finding it hard to know where to start with the new legislation. So, how could it affect your small business?
What is GDPR?
The EU’s General Data Protection Regulation - GDPR - has been created to better protect EU citizens from data breaches and improve privacy and the way we store data. The world has become increasingly data-driven in the last 20 odd years, with little regulation around it, so GDPR is giving people more power into how their personal data is stored and used by others.
If you look at the GDPR website, you’ll see that GDPR will “harmonise data privacy laws across Europe, protect and empower all EU citizens and reshape the way organisations approach data privacy.”
The Information Commissioner’s Office - ICO - is an independent company in the UK that will be ensuring all GDPR laws are upheld. They will regulate GDPR, although most of GDPR is similar to the current Data Protection Act - DPA.
All this means that if your business already complies with the DPA, you’re already on your way to complying with GDPR and you won’t have to make many radical changes to ensure your business is compliant.
GDPR is being introduced on the 25th May 2018, so it is important to get your business ready in the coming weeks in order to avoid substantial fines. In this article, we will go through the steps you can take to become GDPR compliant.
Will my business be affected by GDPR?
Under GDPR, “personal data” is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them]." This includes:
- A name
- A photograph of them
- An email or postal address
- Bank account details
- Medical information
- Computer IP address
GDPR applies if the data collector / controller (i.e. you as a business collecting data) or the data processor (i.e. you as a business processing data for a controller) gathering data on any subject who is in the EU.
Even if you are a business based outside the EU, but your collecting or processing data of individuals located within the EU, you must still comply with GDPR. The ICO has confirmed that the UK’s decision to leave the EU will not affect GDPR and all businesses must still comply come May 2018.
Under the GDPR legislation, data controllers and processors must ensure that data is processed lawfully and for a specific purpose. After the specific purpose is fulfilled, and the data is no longer required, it must be deleted.
What if my business doesn’t comply with GDPR?
If your business fails to comply with GDPR by 25th May, you could be hit with a fine of up to 4% of your annual turnover - fines are capped at €20m.
The size of the fine you receive will be dependent on a few things:
- Whether the violation was intentional or not.
- Whether adequate steps were taken to reduce the risk.
- The type of personal data.
- Number of people that have been affected.
- To what extent was the damage they suffered.
- How long the violation lasted.
- How the ICO found out about the violation.
There is not only the fine to consider, however. If you don’t comply with GDPR, you will damage your reputation as a business. Customers will recognise that you don’t protect their data, and become reluctant to do business with you.
How can my business get ready for GDPR?
Ensure your employees know about GDPR and the impacts it will have on the business.
✓ Review your data
Find out what personal data you already have, how you got it and who you share it with. Delete any data you no longer use.
✓ Devise a plan for GDPR compliance
Review your businesses current privacy notices. Create a strategy for making changes so your business becomes GDPR compliant before May 25th.
✓ Think about access requests
Update your procedures and plan how you’ll handle requests from data subjects within GDPR’s new timescales and provide any additional information.
✓ Explain your processes
Figure out and create a document detailing the legal basis for your data-processing activity. Update your privacy notice on your website and communications to explain it.
✓ Review your consent methods
Consider how you seek, record and manage consent, and whether you need to make any changes. Ensure you request consent from data subjects in order GDPR.
✓ Give data subjects their rights
Make sure your procedures give data subjects their legal rights under the GDPR legislation, including their “right to be forgotten” (i.e. have personal data deleted once you’ve finished using it).
✓ Focus on data breaches
Are your current systems fully secure and adequate to deter data breaches? Ensure your data is fully secure.
✓ Familiarise yourself with the ICO’s code of practice
Read the Privacy Impact Assessment and implement them within your business.
✓ Assign responsibility
Make sure your business is GDPR by assigning the role of GDPR responsibility to one of your employees, your even to yourself. This person will then become an expert and drive progress.
Where can I find more information about GDPR?
It’s important to read as much as you can about GDPR (including all the myths surrounding it) and learn how your business can adapt to the changing legislation. GDPR is a turning point in the way businesses store data, and by complying, you’re showing your commitment to customers and their data. If you haven’t already, it isn’t too late! Start changing the way your business collects and processes data now, and be compliant by the 25th May!
Share and enjoy
If you have any questions or comments about this post, please fill in the comment box below. Or send me an email: firstname.lastname@example.org.