Data protection is an increasingly important area of business, but the implications for small businesses are not generally well understood. For example, did you know that at the end of May 2018, a new set of data protection regulations come into force? The new regulations are called the GDPR, or European General Data Protection Regulations. These regulations relate to the security of collecting, using and storing of personal data, and non-compliance can mean fines.
Large and small businesses
The main focus of the GDPR is businesses that employ more than 250 people. It recognises that large and small businesses operate differently. However, there are specific instances where the new data protection regulations apply to small businesses too. A recent survey showed that many large businesses were preparing for the new regulations. However, over 80% of small businesses were unaware of the changes.
To begin with, it is a good idea to understand the thinking behind the new regulations. There are two main objectives of the GDPR. The first stated aim is to allow people to regain control over their own personal data. The second aim is the unification of data protection regulations across the whole of the EU. This is part of the strategy of simplifying business dealings. There is a detailed guide to the GDPR available on the Information Commissioner’s Office (ICO) website.
But we’re leaving the EU aren’t we?
Don’t imagine that we can ignore the new regulations because we voted for Brexit – if your business handles data concerning EU citizens, you will have to comply. The government has made it clear that the existing Data Protection Act of 1988 (DPA) will be replaced by new legislation. The new legislation will contain the same requirements as the GDPR.
Large organisations will be obliged to employ a specific individual to ensure the responsible and secure collection and storage of personal data – a Data Protection Officer. Small businesses will not be obliged to do this. However, all security breaches need to be reported to the appropriate authorities, preferably within 24 hours (72 hours at the most). In order to achieve this timescale, it makes sense for one or more individuals to be assigned responsibility for this task.
Data protection in small businesses
Where the biggest impact on small businesses will come is when you are involved in processing personal data. The relevant data relates to customers, and also current and past employees and even suppliers. If you routinely process personal data, you are advised to comply with the GDPR. If you currently fall under the DPA, the same applies. Among the stipulations of the new regulations is the ‘right to be forgotten’ if the individual chooses to either withdraw permission for their data to be used, or there is no reason to retain it.
Individuals can also ask an organisation for a copy all the personal data they are holding about them via a Subject Access Requests or SAR. Failure to comply fully will not only result in fines – the individual can sue you for compensation to cover any material loss or damage, or to compensate them for any distress caused.
What data and where?
In order to comply with GDPR, every business will need to carry out some kind of data audit to ensure they know exactly what data they hold and where. For a small business without a dedicated IT department, this can be a tall order. Paper records combined with databases, spreadsheets and mobile devices – multiple platforms and multiple systems. Imagine how you would cope with a Subject Access Request from a past employee, and you can begin to see the scale of the problem. The good news is that there are solutions available to discover and then streamline stored data, but preparation is the key, and time is running out.
For more information on data protection and associated regulations, email us at firstname.lastname@example.org or complete the form below.