New data protection rules for SMEs: are you ready for GDPR?
4th May 2018
Have you noticed inboxes have been filling up with organisations asking us to re-subscribe to them and telling us about how they are handling our data? It’s all about the new European Union regulation which applies from 25 May 2018. All UK businesses, small or large, and in all sectors have to comply with the GDPR (General Data Protection Regulation) by that date or face potentially large fines and even reputation damage.
We’ve all recently seen the consequences of playing fast and loose with other people’s data. The Facebook data breach episode has been a timely reminder about what can happen if your customers’ data is used in ways in which they haven’t agreed – Facebook shares collapsed, the hashtag #LeaveFacebook became a thing and now the other firm involved, Cambridge Analytica , has closed down.
What is the GDPR?
The GDPR is all about improving the protection of an individual’s data which is held by others. Businesses need to pay attention because it will affect how they are allowed to collect, use, store and destroy the personal data which they hold.
The GDPR’s primary aim is to strengthen data protection for all people with the European Union. It’s also intended to simplify the regulatory environment for international businesses trading within the EU – all firms which market goods or services to EU residents, regardless of their own location, need to comply.
The GDPR outlines how personal data can be used. Personal data means any information relating to a living person who can be directly or indirectly identified by that information.
Personal data includes:
o Name (title, first name and surname)
o Postal address (full or partial eg. postcode)
o Email address
o Telephone number (home or mobile)
o Membership number
o Online identifiers (such as IP address)
The GDPR is not optional. All firms and organisations which hold and use personal data must comply with its rules – that means data which firms hold, for example, on customers, clients, staff, suppliers and even prospective customers. Failure to comply with the GDPR can attract sever penalties, currently up to 4% of turnover or £17m, whichever is higher. However firms also risk damage to reputation and potential legal action.
Brexit won’t be a get-out clause either for this EU law – the UK government intends to adopt the EU’s GDPR into own legislation shortly so it will still apply after the UK’s departure from the EU currently slated for March 2019.
Are small businesses ready for the GDRP?
Having to makes administrative changes to your business can be an inconvenient distraction to getting on with day-to-day work. Concerned with fulfilling orders, winning new customers and staying competitive it can be particularly challenging for SMEs (small-to medium enterprises) who may be already stretched and lack good IT support .
With the formal adoption of the GDPR in April 2016, businesses were given two years to prepare for the compliance date of 25 May 2018. Despite this there are concerns about the number of SMEs who are not prepared. One survey found that almost half (46%) of all SMEs have not heard of the GDPR while less than 1 in 10 (9%) of UK SME bosses fully understand what the forthcoming new legislation means for their business ( Future Attitudes survey, 2017 ).
Just last month the FT reported that fewer that one in 10 small businesses were prepared for the data changes with less than three months to go. Research by the Federation of Small Businesses (FSB) revealed an alarming lack of knowledge about the requirements of the GDPR. What’s more, the FSB says that its members are spending seven hours a month on data protection compliance, at an average cost of £1,263.
How can SMEs ensure they comply with the GDPR?
Businesses need to be transparent, secure and fair in the way they collect, use and store personal data. So what does GDPR means for SMEs and what action should they take?
Firstly, don’t panic. It’s likely that many organisations already comply with the existing Data Protection Act 1998 . Also, smaller businesses with low volumes of data and complexity shouldn’t need to devote too much time or resource to ensure compliance. The new GDPR is a good opportunity to check that your house is in order with regard to personal data. A regular data review and data cleanse is in any case a good idea and in the long run will make your operation more efficient.
● Check you action plan – at this stage of the game, businesses should have developed an action plan for complying with the GDPR by the deadline. You should identify a lead person who has on-going responsibility for this area. Check your plan to ensure you have taken action in the relevant areas. This will include:
√ An information audit – documenting your data collection processes, data flows and where data is stored.
√ Determining the lawful basis for storing and processing personal data. You’ll need to be clear about the terms and include all the relevant areas where data protection laws could apply e.g. customer information, staff records, CCTV etc.
√ Refreshing consent – You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
√ Data security – you may need to add extra security measures such as more effective digital firewalls to guard against data breaches.
√ Update Policies – Update your Data Protection Policy, Privacy Statement and Processing Notice regarding to ensure it complies with the new regulation.
Some further steps to take include:
● Check your marketing compliance – If you do telephone, email or other electronic marketing then you need to comply with the Privacy and Electronics Communications Regulations. Guidance on direct marketing is available from the Information Commissioner’s Office.
● Communicate with your data subjects – whether they are customers, staff or suppliers make sure that you have told them about the great importance you place on the safety and security of your data. Inform them about how their personal information can ‘be forgotten’ (permanently deleted) on request. This can be via individual communications (e.g. emails) and combined with a statement on your website about your updated policies.
● Implement an internal communications plan – ensure your staff have a clear understanding about their own data and about your policies and procedures to protect the personal data of others which they handle.
● Update your staff training – Include GDPR information in training and induction of new staff to ensure they keep your business compliant.
● Develop a procedure for handling data breaches and information requests – You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Case Study: You can read here about how one UK Not-For-Profit organisation tackled GDPR and opted for professional GDPR advice to inform their own preparations.
The Information Commissioner’s Office (ICO) regulates data protection in the UK. It has a dedicated advice service for small organisations to check on what they should do.
Alongside the undoubted levelling of the playing field which IT brings for small businesses, it also brings its own responsibilities. Firms with fewer resources than larger competitors must also pay attention to factors such cybersecurity and data protection but don’t always have the staff or time. It can be an onerous burden having to understand and apply new legislation.
If your in-house IT is lacking expertise or pressed for time, then small businesses should consider using an affordable and professional IT support firm to provide solutions. We can ensure that you comply with the latest data and security laws.
Whether you need help with GDPR-compliance or any other ICT related issue in your business, 360ict Ltd can help. It offers a wide range of IT services to small businesses which are designed to let you get on with your business.
If you do require further advice or information please do contact us on 0208 663 4000 or Contact Us.