10 Things SMEs Need to Know About GDPR21 February 2018
From 25th May this year, privacy laws are going to change with the introduction of the General Data Protection Regulation (GDPR). It effects anyone who handles personal data relating to individuals living in the EU.
Here are our top ten things you need to know if you are an SME.
- Does the GDPR Affect Me?
There are very few businesses or organisations that don’t handle any individual or personal data. Essentially, if your small business holds information such as employee records, customer data and even IP addresses, you will have to comply with the GDPR.
There are some exemptions for smaller companies who don’t have the proper resources and you may be able to take advantage of these. But if you are doing business with a larger company that is subject to all the regulations, you may well see your own standard needing to raise accordingly.
- Why Was It Introduced?
The GDPR is an EU wide change in regulations and is designed to give individuals more say over how their data is used and greater protection. In the UK it extends the scope of the existing UK Data Protection Act 1998.
- What Happens If I Ignore It?
If you get on the wrong side of the GDPR for non-compliance you could be liable to prosecution and fines of up to several million Euros for serious breaches and even imprisonment for intentional breaches.
- What About Brexit?
First of all, the GDPR is being implemented this May, well before Brexit runs its course. Secondly, the UK Government has already indicated that it will implement a similar, if not exact match, for the GDPR once we come out of the EU.
- What SMEs Need To Do To Comply
There are a number of things that SMEs need to do before the start of May 2018:
- You should be checking what data you hold, how you capture it and what happens to it while you are responsible for it.
- You can no longer rely on implied consent from those whose data you hold. This cannot be hidden within the small print of contracts or policies. In other words, you have to get permission directly from the customer/individual rather than relying on an implied permission.
- You need to have a data policy in place including implementing security measures such as encryption.
- You need to understand and have processes in place to ensure that individuals have right of access to the information you are keeping about them.
- You need to understand what a data breach is and have processes in place for handling one if it occurs.
- Appointing a Data Protection Officer
You may need to appoint a data protection officer, if you carry out regular monitoring of data for individuals on a large scale or if you carry out processing of certain categories of data on a large scale.
- Plans in Case of a Breach
You will have a duty to report a data breach to the Information Commissioner’s Office (ICO) if it puts the rights and freedoms of individuals at risk. This has to be done within 72 hours of the breach occurring. Small businesses need to plan for how they are going to respond to any potential breach, no matter how small. That includes who the breach is reported to and how it is investigated and resolved.
- The Changing Notion of Consent
At the heart of the GDPR is the changed notion of consent which means that small and medium size businesses have to be extremely careful about how they use the data they hold for individuals, including employees. For instance: employees will need to consent to receive a company news letter, existing customers will need to consent to receive marketing information.
- What is the ICO?
The ICO is the Information Commissioner’s Office and is the independent authority tasked with administering and ensuring that businesses abide by the GDPR.
- What Do I Do Now?
If you haven’t yet prepared for the May 2018 deadline when the GDPR comes into force, you need to do so as a matter of urgency.
If you require assistance analysing how specifically GDPR will affect your business and have a clear understanding of what changes and provisions will need to be made, then get it solved! Contact us on 07714 790024 or email firstname.lastname@example.org