GDPR countdown – fuss free advice for small businesses
As a small business owner, GDPR is an acronym that you’ve probably heard being thrown around a lot lately. It’s so easy to tune out once people start getting into detail about GDPR and what will happen to data privacy laws after 25th May because let’s be honest, betting on what the Royal Baby is going to be called is far more entertaining than discussing who your company’s data officer is. Unfortunately, even though you’re a small business you’re not exempt from the changes to data privacy laws, so you’ll have to prepare too.
Now is the time to prepare as there is JUST ONE MONTH until the new data regulations are enforced. So to make sure you’re prepared, we’re going to cut through the jargon, and get straight to answering the important questions like: what is GDPR? What changes are happening to data privacy laws? What are the penalties of GDPR? What do small businesses need to do to prepare for GDPR?
What is GDPR?
GDPR stands for General Data Protection Regulation. They’re a set of rules that will be enforced from the 25th May 2018. These data privacy laws will protect an individual’s private information, so that companies can’t share personal data. This includes (but is not limited to):
- contact details
- criminal convictions
- political and religious views
What is GDPR going to change?
Data privacy laws already exist, but after 25th May there are a number of changes to these laws as well as new ones coming into effect:
- data can now only be processed if consent has been given
- “opt-out” schemes no longer protect an organisation’s lawful bases to handle and process data
- data held by companies must be kept up to date
- organisations with over 250 employees must have a data protection officer
- organisations will be held liable for any non-compliance of their suppliers
- data privacy statement documents have to be immediately accessible and easily understood
- fines for non-compliance will dramatically increase
- children’s data will be included under new protection laws
- it’s easier for people to claim compensation if their information is used against their will
What are the penalties for non-compliance to GDPR?
Whether you’re a huge corporation or a small startup, if you handle customer information and personal data you must be compliant. Here is what will happen if you’re not:
- For infringing the ICO’s code of practice, organisations face fines of up to 2% of their annual turnover or €10 million, whichever is higher
- For breaches of people’s personal data, organisations face fines of up to 4% of their annual turnover or €20 million, whichever is higher
What do small businesses need to do to prepare for GDPR?
Don’t be fooled into thinking that just because you’re a small business, you’re definitely already set for GDPR. It’s always better to be safe and sorry so here’s a list of ways you should prepare:
- Make sure decision makers in your company know about the upcoming changes to GDPR laws
- Organise an information audit so you can clearly document what personal data your company holds, where it came from and who you share it with
- Check your procedures and make sure all rights of individuals are covered, including how you would provide and delete data electronically and in a widely used format
- Review current privacy notices and update them according to the changes if needed
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it
- Update your procedures and how you will deal with customer data requests and provide information within new timescales
- Think about how you will seek, record and manage consent and refresh any existing consents now if they don’t meet the GDPR standard
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach
- Think about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity
- Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation
- Consider whether you need to and if needed, designate a Data Protection Officer to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements
- If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.
MORE FROM US ON PREPARING FOR GDPR AS A SMALL BUSINESS
BE PREPARED FOR GDPR
The good news for small businesses is that you are likely to have a smaller amount of data to sift through when it comes to figuring out matters of consent. Your privacy statement is also likely to be a lot more black and white and more basic than a huge corporation too. You have still got a month to get everything in order before the fines start being levied, but do not let the clock run out on you!
Helpful articles for preparing for GDPR:
General FAQs: https://goo.gl/hGQqXS
How to tackle GDPR before time runs out: https://goo.gl/zhJCpJ
Key changes occurring to GDPR: https://goo.gl/Sn12m4
Information Commissioner’s Office (ICO) advice for small businesses: https://goo.gl/pu9ozN
ICO advice on how to prepare: https://goo.gl/p8HGwk