Since its approval by the EU Parliament in April last year, thoughts of GDPR (General Data Protection Regulation) have probably been looming in the mind of most small businesses and aspiring entrepreneurs. For many, the questions are: what is GDPR? and where do you start with GDPR compliance if you’re a small business? Well, with only a few months to go, now’s the time to get prepared.
The truth is that every business has to be GDPR compliant by 25th May 2018. That means GDPR compliance for small businesses is as important as it is for large corporations. Learning about the regulations and ensuring your new small business is GDPR compliant as soon as possible is essential. But don’t worry. We’re here to simplify your understanding of the new laws, answering questions you’ll have as a small business owner.
What is GDPR?
GDPR is a new set of regulations around data privacy with two main aims:
1) To strengthen data protection policy by giving EU citizens more control over their personal data and what the data is used for.
2) To modernise and simplify the data regulations for businesses that operate in the EU.
The overarching purpose of the regulation is to give power and privacy back to the people whose data is collected and often sold for money. It is also designed to encourage companies to uphold a framework that takes data protection seriously. Failure to comply will result in a harsh financial penalty – up to 4% of that company’s global turnover. That’s a huge loss for any business regardless of size. Plus, individuals will be able to sue businesses for compensation if they think their data has been misused or mishandled.
Does GDPR apply to me?
GDPR recognises that small businesses require different treatment to larger ones. This is why Article 30 of the regulation declares that organisations with less than 250 employees will not be bound by GDPR compliance unless the processes the organisation carries out are likely to pose a risk to the rights and freedoms of their data subjects.
This gives the impression that a lot of small businesses won’t be affected by GDPR – but in reality, collecting and storing any category of personal data such as health data, racial or ethnic origin, religious beliefs and/or sexual orientation will mean that GDPR compliance is required by law.
If you’re still unsure of whether or not GDPR compliance is something that applies to you, then consider how often your organisation will be handling the personal data of its clients, employees and suppliers. If data processing is going to be a regular part of business procedure, then you should abide by GDPR.
What about Brexit?
Regardless of Brexit, when the law changes on 25th May 2018, we’ll still be a member of the EU. This means we will still be obliged to comply with EU laws. It remains to be seen whether the rules will change once the UK leaves the EU. For now, British firms are legally required to make changes in order to become GDPR compliant. We have only an inkling of what life will be like for small businesses once the UK has exited the EU, but one thing we do know is what will happen if they don’t become GDPR compliant – a lot of hassle and heavy fines.
How can I ensure my business is GDPR compliant?
The next step on your journey to compliance is to learn exactly what you need to do. Follow these three key processes to ensure you’’re safely ticking all the right boxes for GDPR compliance:
1. Recruit or appoint someone to handle GDPR compliance
Even if there are just a couple of people in your business, appoint a designated Data Protection Officer who should have a demonstrable and comprehensive understanding of GDPR. Currently, the regulation states that only public authorities that carry out “regular and systematic monitoring of individuals” are required by law to appoint a DPO. But even if it’s not a legal requirement for you to have a DPO, it is advisable to appoint someone to be responsible for compliance. This doesn’t have to be a full-time, in-house member of staff; for small businesses where everyone is too busy, outsourcing this person might be the most cost-effective option.
2. Introduce a company cybersecurity strategy
Data breaches, thefts or losses of personal data must be reported within a maximum of 72 hours. In the past year we’ve witnessed a surge in cyber attacks on small businesses all over the world. To safeguard your company against data breaches and give it the best possible chance of returning to business as usual, a company-wide strategy should be put into place that addresses where the data is kept, who is able to access it, how to identify data breaches and who it must be reported to. Introducing a comprehensive, robust cybersecurity strategy and bringing in a professional to educate your workforce on cybersecurity is a sensible investment. Check out our blog on how to spot the red flags of cyber attacks for more information.
3. Never process data without explicit consent
Ensure that consent is explicitly given by all people whose data you hold and that you retain proof of this consent. Privacy policies must be updated to include why your company wants their data and how it is going to be used so that individuals have a clear understanding of what they are opting into. Customers must also have the option to withdraw their consent at any time. Mishandle data or use it in ways the individual hasn’t approved, they can build a strong case against you.
The sooner you start prioritising GDPR compliance for small businesses, the better off your business will be. Doing nothing isn’t an option. Make sure you stay ahead of the game, maintaining a competitive advantage by getting GDPR compliant as soon as possible. You can find more advice tailored to the needs of small businesses in our help centre.
Published Monday July 31, 2017