The General Data Protection Regulation (‘GDPR’) comes into force on 25th May 2018 and affects you, as an SME, and every other business in the UK that gathers and processes personal information on customers, prospects or employees. Noncompliance doesn’t just mean a rap on the knuckles, it could lead to your business facing major interruptions and reputational damage. Your wallets could be impacted too, under the new laws the significant increase to fines could put a company like yours out of business or leave you facing lengthy and costly legal action. So, what do you need to know to prevent this? 

In this first of three blogs to GDPR from BCU Advantage, we draw on the expertise of Birmingham City University academics to provide you with answers to the burning business questions surrounding this topic. Here, we’ll help you clarify how GDPR affects you legally, and highlight key changes to ensure your business is ready for GDPR, alongside dispelling myths surrounding GDPR and Brexit.

Will GDPR have legal implications for my SME?

Some media reports have suggested that GDPR will be more lenient on SMEs, and with many of the data protection principles and requirements remaining unchanged it’s easy to see how SMEs could miss important updates.

SME owners may think they’re less likely to be in the firing line compared to large corporates but the truth is, GDPR introduces changes that will affect businesses of all sizes, big and small. GDPR impacts day-to-day operations, introduces more stringent sanctions and puts in place new and important express requirements for your business to act upon.

A key change is that it is no longer enough to simply comply with legislation, the new accountability principle means you must be able to demonstrate compliance. Don’t despair, there are some exemptions for SMEs (businesses with under 250 employees), but truth be told they are very limited unless you carry out higher-risk processing or you process sensitive personal data.

If you process or hold any personal data or use a third party to hold and process data on your behalf, you could be held liable if you use that data without an appropriate legal right or suitable controls in place. It’s worth stressing here that size doesn’t always matter – as a smaller company you will still need to comply and understand new requirements e.g. you must report any personal data breaches within 72 hours to the Information Commissioner’s Office (‘ICO’).

If you’re not compliant, enforcement action could be taken which could include business disruption, reputational damage, significant fines, criminal proceedings and potentially a criminal conviction – all of which are likely to be devastating for an SME.

These legal implications mean you shouldn’t belittle GDPR. However, as Haydn Davies, Head of the School of Law at Birmingham City University comments, the severity of your data breach is taken into account when establishing the penalty you’re faced with: “The biggest penalty if you breach GDPR is the ‘higher maximum amount’ of €20m or 4% of annual turnover – whichever is greater – and the other one is the ‘standard maximum amount’ of €10m or 2% of annual turnover – whichever is greater. Although the legislation offers some limited defences for companies, the best defence will be to ensure rigorous compliance and excellent data management systems to avoid the attention of the Information Commissioner’s Office in the first place.”

Won’t Brexit remove the need for my SME to comply?

 In light of the timetable for the UK to leave the EU in just 12 months, you may well be thinking “do I really need to bother complying?”

You’re not alone; Crowns Record Management found that 44% of UK businesses think GDPR won’t apply post-Brexit – this is not true! UK government has confirmed it will comply with the GDPR and replace the UK Data Protection Act, with a new Data Protection Bill currently making its way through parliament.

The new Data Protection Bill will:

• Make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed
• Empower people to take control of their data
• Support UK businesses and organisations through the change
• Ensure that the UK is prepared for the future after we have left the EU.

Data protection is one area where there is no uncertainty as a result of Brexit:

• Statements from Government have confirmed full effect will be given to the GDPR notwithstanding Brexit – with a new bill currently being passed in parliament
• If you wish to employ and or undertake any business with any European Union citizens, you will need to fully comply with the GDPR and or equivalent data protection laws.

As Alex de Ruyter, Professor and Director of the Centre for Brexit Studies at Birmingham City University comments, the UK doesn’t have the power to override GDPR: “Given that the UK isn’t a major economic power on its own, its ability to create its own rules with regards to data protection is fairly limited. It is therefore more likely to take pre-existing legislation than make its own. If the UK no longer wants to be part of the EU regulatory orbit then the only other realistic scenario would be for it to follow US data protection laws. But it’s most likely that the UK will adopt GDPR, given the high level of trade deals we hope to do with the EU.” Brexit aside, if you do international business in the EU and handle any EU citizens’ personal data in any capacity, you must be GDPR compliant.

What technical data handling changes do I need to make? 

Enterprise data management solutions provider Solix Technologies claims that 82% of organisations currently aren’t certain where their most sensitive personal data is stored. If this is the case for you, you may be wondering where and how to start your GDPR preparations.

Don’t panic! Preparing for GDPR doesn’t have to be a last minute, frantic task if you put the right systems in place now.

So, where do you start? Given that data protection is rarely a top priority for SMEs, you may be unable to answer crucial GDPR questions such as “What kind of personal data do we retain?” and “How long do we keep the data for?” Getting these basics right is key as GDPR will require you to understand in more detail precisely what data you have access to, and all of the different areas of the business in which the data is held.

Example questions to ask yourself:

• What information do you collect on your website?
• Where do you store information? On local networks? In the cloud? How it is secured?
• How long do you keep data?
• What is the legal basis of processing?
• Do you rely on consent? Was it freely given?

Accountability means you should have clearly documented data governance e.g. data mapping, written policies, audit and review, records of processing and clear data breach reporting systems. This, at first glance, may seem potentially irritating for your business but with the right approach to GDPR built into your business policy and operating procedures, you can achieve compliance while driving business efficiency, improving processes and practices and providing a better overall customer experience.

As Ron Austin, Associate Professor in Network Engineering at Birmingham City University’s Faculty for Computing, Engineering and the Built Environment comments, you may need to reassess and possibly even overhaul how you manage your data, particularly if you rely on ‘consent’ for your basis for processing personal data: “The processes required to efficiently manage and secure data are missing from so many organisations, particularly SMEs. Business owners will now have to ensure that their IT networks only retain data which has been approved by the subject, and must be able to prove it.”  

So remember, if you don’t have processes in place it’s not the end of the world. Focusing on answering the basic questions about the data you store and manage is the first and most important step to enabling your business to build the processes and systems to manage your accountability and compliance with GDPR.

Don’t worry; you still have time to take control of GDPR!

We understand that it’s daunting as an SME to prepare for such large changes in Data Protection laws… that’s why our next two GDPR blogs will highlight steps you need to take to comply with the required changes, giving you the knowledge to make sure your SME is compliant by May 25th 2018 and beyond.

We’ll help you see that GDPR doesn’t have to stifle your business effectiveness once it has come into force, but can be used as a tool to help improve your business processes.

This blog is by Jacob Rickett, Head of Legal Services – Birmingham City University.