On 25 May 2018, the European General Data Protection Regulation (GDPR) will apply to all businesses including SME’s.
Many smaller businesses have said: “we will wait and see what happens post Brexit.” If the Government decides not to implement GDPR rules post Brexit then EU businesses will still need to be compliant with the GDPR for at least ten months. However, it is highly likely that the Government will implement equivalent GDPR rules post-Brexit.
The GDPR is designed to help safeguard data protection rights for individuals and it introduced a set of rules across the EU stipulating how organisations should handle data relating to individuals. So, if your business holds personal information such as names, addresses, customer lists or HR records you need to be compliant with certain requirements of GDPR.
As an SME you may be exempt from some of the more rigorous steps, eg. the need to appoint a data protection officer. As a SME, if you are able to demonstrate that you have a GDPR compliant data protection clause in place you may find yourself at a competitive advantage over your peers when it comes to tendering for new business.
There are several simple steps that you need to consider to make sure you are compliant by 25 May 2018. The key points being:
Know what data you hold, where it is coming from and what you plan to do with it. It is important that you understand and record what ‘personal data’ you hold as a business, how it was captured, how it is held, how you use it, and where it is going.
As I create e-newsletters for my clients I am really concerned about consent. Are you relying on consent? The definition of consent has been tightened so that it must be ‘unambiguous’ when given.
If you are using consent you will need to get it retrospectively for existing customers. Requests for consent will also have to be presented in a manner that is completely separate, so they can no longer be hidden within other policies or small print on your website. Where you are relying on consent to process ‘personal data’, being able to prove how you obtained it will be vital.
Right of data access. Individuals will have a number of rights when it comes to how you look after their ‘personal data’. Make sure you have appropriate processes and templates in place so that the data subject rights can be met within the new time scales.
Know what constitutes a personal data breach. You should try to develop and encourage a culture where your employees feel comfortable in self-reporting when they have made innocent mistakes, such as sending an email to the wrong person - the root cause of the vast majority of data breaches.
Review terms and conditions and supplier contracts. Where a contract involves personal data, it is essential to analyse the relationship between the parties.
Conduct due diligence on any suppliers that process ‘personal data’ on your behalf or jointly or in common with you to make sure that there are adequate protections in place to cater for the GDPR. This could be by either asking them to complete a due diligence form to capture what measures they have in place (which should then be reviewed to make sure that they are sufficient) or by conducting an on-site audit.
Where your suppliers (as processors) are processing ‘personal data’ on your behalf (as a controller) you have an obligation to update your contracts with them to ensure that “processors” are contractually obliged to provide GDPR compliant data protection standards. It is worth noting that if you act as a processor for other companies, they will be looking to amend your contract with them on the same basis, and new customers will increasingly focus on this.
Understand whether you need to appoint a data protection officer (DPO) if your core activities involve ‘large-scale’ monitoring or processing of sensitive personal data.
WHAT ARE THE CONSEQUENCES OF YOU FAILING TO COMPLY WITH GDPR?
The fines for non-compliance Failure to comply with the GDPR could be up to 4% of a company’s global turnover (for the preceding financial year) or €20 million (whichever is the higher) Although many small businesses believe it won’t apply to them, the ICO has already demonstrated their willingness to impose financial penalties against SMEs, although they will be considering the business’s ability to continue trading following any financial penalty.
WHERE CAN SME’S GET ADDITIONAL HELP/SUPPORT?
While compliance with the GDPR may seem labour intensive, it will ultimately exist to make sure that you are able to best protect your customer’s personal data. If you fail to protect personal data there can be a massive detrimental impact on the reputation of your business. So, compliance with the GDPR and the protection of customer’s personal data is in the best interests of your business and in the protection of your hard-earned reputation.
There are so many resources available to help you make sure you are compliant with GDPR by 25 May 2018. However, The Information Commissioner (ICO) has prepared a Data Protection Self Assessment Tool Kit for SME’s. You can use the ICO’s Checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.
Finally, I am not a GDPR specialist – I am just aware that I need to put processes in place to ensure that the personal data I hold follows GDPR guidelines. If you need advice on GDPR then I suggest you get in touch with Sally Stanier of PIM Consultancy, who has provided me with invaluable advice on data protection issues.
How I can help you
I can help you stay in touch with your clients who have “opted-in” by creating professional e-newsletters! Need help – then please get in touch.
All blogs are written by SunflowerVA and they are based on our experience.