The introduction of the GDPR has been described as the most important change in data privacy regulation for 20 years. So, how could it affect your small business?
The EU General Data Protection Regulation – the GDPR – has been created to replace Directive 95/46/EC, which was adopted in 1995.
The aim is to better protect EU citizens from privacy and data breaches, because the world has become significantly more data-driven in the past 20 years. And, crucially, the EU wants people to have more control over how their personal data is used by others.
According to the EU GDPR website, the GDPR will “harmonise data privacy laws across Europe, protect and empower all EU citizens and reshape the way organisations approach data privacy.”
The Information Commissioner’s Office (ICO) is the independent authority in the UK that “upholds information rights in the public interest”. It will regulate the GDPR and although it believes organisations will need to be more accountable and transparent, it says many of the GDPR’s main concepts and principles are “much the same as those in the current Data Protection Act  (DPA)”.
That means, if your business already complies with the DPA, you’re unlikely to have to make radical changes to become GDPR compliant. However, as the ICO warns: “There are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
According to Steve Wood, ICO Deputy Commissioner (Policy), the GDPR is an “is an evolution in data protection, not a revolution”. He adds: “Many of the fundamentals remain the same. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and [the] GDPR seeks only to build on those principles.” But, he stresses: “That doesn’t mean there’s any room for complacency”.
Although the EU adopted the GDPR on 27 April 2016, it won’t be enforced until 25 May 2018, which gives businesses time to become GDPR compliant. Those that do not comply with the GDPR could face very heavy fines. You should find out now whether the GDPR will affect your business, and if so – take steps to become compliant.
Under the GDPR, “personal data” is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them]." This could be:
The GDPR applies if the data controller (i.e. the business or organisation that collects data) or the data processor (ie the business or organisation that processes data for the controller) or the data subject (person to whom the data refers) is based in the EU.
Even if a controller or processor is based outside of the EU, the GDPR will still apply if they’re collecting or processing data relating to people who live in the EU.
Under the GDPR, controllers must ensure that personal data is processed lawfully, transparently and for a specific purpose, after which – if the data is no longer required – it must be deleted.
The GDPR will apply to all business that store and process the personal data of data subjects living in the EU. So, UK companies collecting or processing personal data must comply with the GDPR, because the UK will not leave the EU until after May 2018. And according to the ICO: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
Even after the UK leaves the EU, UK firms collecting or processing the personal data of people living in the EU will have to comply with the GDPR.
If your business does not comply with the GDPR, it could be hit with a fine of up to 4% of its turnover, while fines of up to €20m will be payable for more serious data breaches.
The size of a fine will be determined by a range of factors including:
• Whether the infringement was intentional or not.
• Whether adequate steps were taken to mitigate risk.
• Type of personal data.
• How many people were affected.
• How much damage they suffered.
• How long the infringement lasted.
• How the ICO found out about the infringement.
The Information Commissioner’s Office (ICO) can impose a penalty on a data controller (which could be a small business) of up to £500,000. You can appeal, either the penalty or the amount. Fines are paid to the Treasury, not the ICO.
Steve Wood, ICO Deputy Commissioner for Policy, warns of other damage that your business can suffer if it fails to manage customer data properly. “Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom,” he explains.
What if I only collect customer email addresses?Find out more
What if someone else processes the data my business collects?Find out more
What if I want to continue sending marketing materials to people on our existing marketing database?Find out more
What if a customer asks me what data I hold about them?Find out more
What if I only store personal data in a manual filing system?Find out more
What about customer personal data I collected years ago?Find out more
The website of the Information Commissioner’s Office (ICO) features a considerable amount of information aimed at helping business to comply with the GDPR.
The ICO recognises that GDPR compliance can be a challenge for small businesses. The Information Commissioner, Elizabeth Denham, says: “All organisations have to get ready for the new data protection rules, but we recognise that the 5.4 million small businesses in the UK face particular challenges.
“[They] want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.”
The organisation has launched a new phone line service will offer additional, personal advice to small businesses. All you need do is call 0303 123 1113 and select option four to speak to support staff. According to the ICO: “As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.”
The Federation of Small Businesses has also published information about the GDPR, how to prepare for the GDPR and how the GDPR could affect small businesses. The Forum of Private Business has also published a guide to the GDPR.
There's a wealth of information and advice about what you need to do, including 12 steps to take now.Read more
Even the smallest business can have masses of data, which if lost would at the very least be inconvenient, or at the worst, disastrous.Read more
Register or Login to add this article to your reading list.