The new European General Data Protection Regulation has been designed to provide citizens and residents of the European Union to have more control over how their personal data is collected, used and stored.
On the flipside of the procedures, it has been designed to make regulations for international businesses much easier to understand and implement, with a regulation that is unified throughout the European Union.
The new regulation applies to all companies that conduct business within the EU and/or processes personal data of EU citizens, so the Brexit decision does not leave the regulations rudderless within the UK. In fact, once the UK has officially left the EU there will be a new Data Protection Act put in place that mirrors the GDPR.
With the advent of GDPR stricter fines are expected for non-compliant business. Current penalties include obligatory undertakings to improve compliance with the regulations, a maximum fine of £500,000 prosecutions for those who deliberately breach protocol (including potential prison sentences).
From the end of May 2018 you can expect to see much heavier fines, including an upper limit of €20 million in fines, or a fine of 4% of annual global turnover of a business. What this means for small and medium-sized businesses is that non-compliance with GDPR could pose a real risk of insolvency.
What You Need to do as a Small Business
Put together a list of all the things you need to do as a small business to help comply with GDPR. Even businesses with fewer than 250 employees have to be ready for GDPR. You should have in mind all customers you hold data for, as well as current and past employees and suppliers.
Understand What Data You Store – When called upon you will have to clearly demonstrate an understanding of all types of personal data that you hold. This will include names, addresses (both physical and email), financial information, personal photos, and personal sensitive data such as religion held and health information.
Re-Evaluate Consent Practice – Once the GDPR has come into effect you can no longer rely on previously given consent. All data relying on consent must be done so with the clear, specific and explicit consent of the individual it relates to prior to being stored.
Update Security Measures and Processes – All security processes and policies will have to be re-written to include the new GDPR. One way to meet criteria is to have a broad use of encryption as part of your security protocol. When collecting data it is important to have a clear and fair process notice of describing to citizens how and why their data is being collected and stored.
Access of Data – Under the new rules any citizen of the EU has the right to access all personal data, and be able to change any information that is incorrect, or even ask for deletion of data. A request must be granted within one-month, so be prepared to have the processes in place to deal with such requests.
Serious Breach Protocol – All breaches in data must be reported within 72-hours of discovery under the new regulations. What this means is that all employees that are responsible for handling data within your company have to be trained and fully prepared to understand what constitutes a breach, picking up on red flags and reporting any mistakes to the Date Protection Officer (DPO) or person responsible for data protection compliance.
Speak to Suppliers – It is important that you work with suppliers that are also GDPR compliant. Now is the time to have dialogue with them to ensure they are also getting ready for the change and that you are not at risk from any breaches within your supply chain.
A DPO? – The majority of smaller businesses will not require an on-staff Data Protection Officer (DPO). It is worth looking into it further if your business involved the monitoring and processing of large volumes of data subjects and special category data.
It is important as a small business owner to take GDPR seriously, and to think about your own personal data and how companies that you have dealt with in both your personal and business life might hold that data.
You can also join our Google+ Community “Startup in Britain” which is packed with help, resources and articles to get you started. Use it to get tips, advice and start building your network!