The SMEs guide to the General Data Protection Regulation (GDPR)

What SMEs need to know about GDPR
The General Data Protection Regulation (GDPR) will replace the Data Protection Act (DPA) in May 2018. The headline-grabbing impact of the GDPR are the fines; up to €20m or 4% of global turnover (whichever is the higher) depending on the scale of the issue you have with personal data. But it also presents OPPORTUNITIES; to improve trust and transparency with clients, staff and suppliers on how their personal data is used, to review legacy processes and systems dealing with personal data and what personal data is being collected, stored and processed and confirm the lawful basis for doing it.

Why does the DPA need to be replaced? The DPA was implemented in the 1990’s when there was no social media or cloud computing. It does not reflect how we now live and do business; we need better ways to protect and use personal data. The Information Commissioner’s Office (ICO) says “Growth in the digital economy requires public confidence in the protection of this information”. The good news is that many of the concepts and principles are much the same as those in the DPA; if you are currently complying in all areas most of the approach remains valid.

I don’t have any personal data!  All businesses have some personal data. Even if you are a startup with no staff, you are going to have personal details of business contacts (which fall within the scope of the GDPR).

Does Brexit make a difference?  No, the UK Government have confirmed that GDPR will be implemented in May 2018. The Information Commissioner has said “there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018“.

If I ignore it what will happen? You will not be complying with a legal aspect of running a business. Nothing may happen, but you could be fined. The GDPR says fines should be “effective, proportionate and dissuasive”. They can be issued for a data breach or failure to show you have taken steps to comply with the requirements.

Is this all about IT? It isn’t. It is more about processes and having proof that you comply. The GDPR references the need for “…appropriate technical and organisational measures be taken” 10 times. The “appropriate” part is important – you may not need to buy expensive IT solutions.

Who should look after GDPR compliance? The programme of work to prepare for GDPR needs ownership at a senior level as it requires involvement from all parts of the business that come into contact with personal data in electronic and paper formats.

What are some of the main areas of the GDPR? 

  1. The definition of personal data is much wider. It includes online identifiers, such as the id of your mobile phone while you browse the internet, along with HR, customer and client records. So that includes names, postal addresses, phone number and email addresses. And there are ‘special categories of personal data’ which includes genetic and biometric data.
  1. If you rely on consent to send out marketing emails, you need evidence that someone has given that to you and it can be withdrawn as easily as it was given.
  1. There is a right to be forgotten. You need a process to check if requests are valid and, if there is no other legal reason to keep the data, it needs to be erased. If you have passed the details to a third party, you need to contact the other party and make sure they also do it. This means there is an impact across the supply chain
  1. Data protection by design. You need to show that data protection has been considered when designing or updating a process or computer system
  1. There is no need to register with the Information Commissioners Office (ICO) on an annual basis to say what data you are processing. However, the Digital Economy Act does require data controllers to register with the ICO, the fees to be paid are due to be announced in Q1 2018. You need to keep an internal record of the personal data being processed…but if there are less than 250 people in your business there may be an exemption. It depends on the processing you do.
  1. Businesses where there is ‘regular and systematic monitoring of data subjects on a large scale’ or where they conduct large-scale processing of ‘special categories of personal data’ need to appoint a Data Protection Officer (DPO). They don’t have to be full time. Most SMEs may not need a DPO.

So what do I need to do? 
First, identify all the personal data you have. Then determine where changes are needed so you are ready to meet the GDPR Principles. Get in touch for details about how we can help you prepare for May 2018.

t: +44 (0)7941 188462