The General Data Protection Regulation (GDPR) has made headlines for the last year, but with only 12 months to go, SMEs need to ensure their businesses are prepared.
Regardless of ongoing Brexit negotiations, the UK has committed to implementing GDPR by 25 May 2018. All UK businesses collecting data on EU customers will be affected, including SMES. While small business owners may consider this just another regulatory burden, it is an important one to take note of. With this in mind, we’ve highlighted some of the key facts below.
Why is GDPR needed?
With the internet and cloud computing, data processing had changed significantly since the late 90s when data protection laws were last reviewed. This has come hand in hand with an increase in data breaches which peaked last year, growing by 40% compared to 2015, according to the Identity Theft Resource Center.
A recent report by Juniper Research revealed that almost three-quarters of UK SMEs think they are safe from cyber-attack, yet half of these suffered a data breach. Against this backdrop, the need to protect personal data more effectively has never been more evident.
[easy-tweet tweet=”GDPR will strengthen the protection of personal information” hashtags=”GDPR,Security”]
What is GDPR?
GDPR is the new law that comes into force next May 2018, requiring any business that operates in the EU or handles the personal data of EU residents to implement a strong data protection policy to protect client data. It replaces the Data Protection Act 1998, with the following key differences:
- Broader scope: the regulation affects any business that collects, processes or stores personal data from EU-based individuals, including businesses based outside the EU. The definition of personal data has also been broadened to include genetic, mental, economic, cultural and social identity, thereby bringing more data into regulation.
- Tougher penalties: a two-tiered sanction regime will see breached organisations receiving fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines are dependent on data loss and the systems and technology put in place.
- Shorter notification of breaches: businesses are required to report data breaches to the relevant Data Protection Authority within 72 hours of detection.
- Accountability and Privacy by design: GDPR places increased accountability on business systems and processes. Data controllers must maintain documentation, conduct a data protection impact assessment for riskier processing, collect only necessary data and discard it when no longer required.
- Appointment of a data protection officer (DPO): a mandatory requirement for all public authorities and companies whose core business activities are data processing.
- Consent required to process children’s data: parental consent will be required to process personal data of children under 16 and individual EU Member States may choose to lower this age to 13.
- Access to data: data subjects are entitled to request a copy of their personal data in a format usable by them and electronically portable to another processing system.
- The right to be forgotten: data subjects have the right to erase their data. Businesses must ensure they have the processes and technology to delete data in response to requests to do so.
GDPR will strengthen the protection of personal information. Regardless of size, all companies doing business in the EU will be required to collect, store and use personal information more securely.
While there are few areas where SMEs are recognised as having fewer resources and capabilities than larger enterprises, small businesses can take comfort in some leeway regarding documentation and record keeping. The degree of leeway at this stage is still uncertain. Providing SMEs can demonstrate they’ve taken a proactive approach to data protection, privacy and meeting the requirements of GDPR, regulators will work with them on any problems that might arise. Engaging with the right consultants and documenting all actions undertaken will be key to compliance and avoiding hefty fines which may have a disproportionate effect on SMEs
How to prepare your SME?
Businesses need to act now to ensure they understand the actions required to achieve compliance. The first step is undertaking a data processing audit to identify any gaps in your systems, while giving you sufficient time to rectify them.
The Information Commissioner’s Office provides a handy guide to helping prepare your business; Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now. There are also various GDPR awareness training days that are available to help you understand what is required of your business.
Customers are the lifeblood of any SME so ensuring you have the correct processes in place to handle data and avoid a potential breach is vital. Establishing a plan to deal with any potential breach or cyber-attack is equally important. This will avoid further damage to client or supply chain relationships, particularly with the new reduced breach notification periods.
In summary, the sooner you start getting your GDPR strategy in place, the better. For more advice on protecting your data within your IT systems, please get in touch, and we’d be delighted to help.