The General Data Protection Regulation (‘GDPR’) comes into force on 25th May 2018 and affects you, as an SME, and every other business in the UK that gathers and processes personal information on customers, prospects or employees. Noncompliance doesn’t just mean a rap on the knuckles, it could lead to your business facing major interruptions and reputational damage. Your wallets could be impacted too, under the new laws the significant increase to fines could put a company like yours out of business or leave you facing lengthy and costly legal action. So, what do you need to know to prevent this?
In this first of three blogs to GDPR from BCU Advantage, we draw on the expertise of Birmingham City University academics to provide you with answers to the burning business questions surrounding this topic. Here, we’ll help you clarify how GDPR affects you legally, and highlight key changes to ensure your business is ready for GDPR, alongside dispelling myths surrounding GDPR and Brexit.
Some media reports have suggested that GDPR will be more lenient on SMEs, and with many of the data protection principles and requirements remaining unchanged it’s easy to see how SMEs could miss important updates.
SME owners may think they’re less likely to be in the firing line compared to large corporates but the truth is, GDPR introduces changes that will affect businesses of all sizes, big and small. GDPR impacts day-to-day operations, introduces more stringent sanctions and puts in place new and important express requirements for your business to act upon.
A key change is that it is no longer enough to simply comply with legislation, the new accountability principle means you must be able to demonstrate compliance. Don’t despair, there are some exemptions for SMEs (businesses with under 250 employees), but truth be told they are very limited unless you carry out higher-risk processing or you process sensitive personal data.
If you process or hold any personal data or use a third party to hold and process data on your behalf, you could be held liable if you use that data without an appropriate legal right or suitable controls in place. It’s worth stressing here that size doesn’t always matter – as a smaller company you will still need to comply and understand new requirements e.g. you must report any personal data breaches within 72 hours to the Information Commissioner’s Office (‘ICO’).
If you’re not compliant, enforcement action could be taken which could include business disruption, reputational damage, significant fines, criminal proceedings and potentially a criminal conviction – all of which are likely to be devastating for an SME.
These legal implications mean you shouldn’t belittle GDPR. However, as Haydn Davies, Head of the School of Law at Birmingham City University comments, the severity of your data breach is taken into account when establishing the penalty you’re faced with: “The biggest penalty if you breach GDPR is the 'higher maximum amount’ of €20m or 4% of annual turnover - whichever is greater - and the other one is the 'standard maximum amount' of €10m or 2% of annual turnover - whichever is greater. Although the legislation offers some limited defences for companies, the best defence will be to ensure rigorous compliance and excellent data management systems to avoid the attention of the Information Commissioner's Office in the first place.”
In light of the timetable for the UK to leave the EU in just 12 months, you may well be thinking “do I really need to bother complying?”
You’re not alone; Crowns Record Management found that 44% of UK businesses think GDPR won’t apply post-Brexit – this is not true! UK government has confirmed it will comply with the GDPR and replace the UK Data Protection Act, with a new Data Protection Bill currently making its way through parliament.
The new Data Protection Bill will:
Data protection is one area where there is no uncertainty as a result of Brexit:
As Alex de Ruyter, Professor and Director of the Centre for Brexit Studies at Birmingham City University comments, the UK doesn’t have the power to override GDPR: “Given that the UK isn’t a major economic power on its own, its ability to create its own rules with regards to data protection is fairly limited. It is therefore more likely to take pre-existing legislation than make its own. If the UK no longer wants to be part of the EU regulatory orbit then the only other realistic scenario would be for it to follow US data protection laws. But it’s most likely that the UK will adopt GDPR, given the high level of trade deals we hope to do with the EU.” Brexit aside, if you do international business in the EU and handle any EU citizens’ personal data in any capacity, you must be GDPR compliant.
Enterprise data management solutions provider Solix Technologies claims that 82% of organisations currently aren’t certain where their most sensitive personal data is stored. If this is the case for you, you may be wondering where and how to start your GDPR preparations.
Don’t panic! Preparing for GDPR doesn’t have to be a last minute, frantic task if you put the right systems in place now.
So, where do you start? Given that data protection is rarely a top priority for SMEs, you may be unable to answer crucial GDPR questions such as “What kind of personal data do we retain?” and “How long do we keep the data for?” Getting these basics right is key as GDPR will require you to understand in more detail precisely what data you have access to, and all of the different areas of the business in which the data is held.
Accountability means you should have clearly documented data governance e.g. data mapping, written policies, audit and review, records of processing and clear data breach reporting systems. This, at first glance, may seem potentially irritating for your business but with the right approach to GDPR built into your business policy and operating procedures, you can achieve compliance while driving business efficiency, improving processes and practices and providing a better overall customer experience.
As Ron Austin, Associate Professor in Network Engineering at Birmingham City University’s Faculty for Computing, Engineering and the Built Environment comments, you may need to reassess and possibly even overhaul how you manage your data, particularly if you rely on ‘consent’ for your basis for processing personal data: “The processes required to efficiently manage and secure data are missing from so many organisations, particularly SMEs. Business owners will now have to ensure that their IT networks only retain data which has been approved by the subject, and must be able to prove it.”
So remember, if you don’t have processes in place it’s not the end of the world. Focusing on answering the basic questions about the data you store and manage is the first and most important step to enabling your business to build the processes and systems to manage your accountability and compliance with GDPR.
We understand that it’s daunting as an SME to prepare for such large changes in Data Protection laws… that’s why our next two GDPR blogs will highlight steps you need to take to comply with the required changes, giving you the knowledge to make sure your SME is compliant by May 25th 2018 and beyond.
We’ll help you see that GDPR doesn’t have to stifle your business effectiveness once it has come into force, but can be used as a tool to help improve your business processes.
Don’t leave your preparations to chance: sign up here to receive future insights from BCU Advantage experts.
This blog is by Jacob Rickett, Head of Legal Services – Birmingham City University.