The EU’s General Data Protection Regulation, GDPR for short, has been in action since the 25th of May 2018 but there are plenty of small businesses that still don’t know how the regulation affects them. And, while the regulation is less stringent for small businesses the penalties for failing to comply are incredibly high with maximum fines of €20 million, or 4 per cent of global annual turnover, whichever is greater. In this blog, we’ll take a look at what is covered under GDPR and what you need to do to ensure your business is compliant.
Businesses that use, collect or store personal data are required to be able to demonstrate that they’re using it lawfully in line with the six data protection principles which are:
• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Storage limitation
• Integrity and confidentiality
Firstly, Brexit won’t save businesses from the impact of GDPR as the regulation will be mirrored in UK regulations so you can’t use this as an excuse for not being compliant. If your business has less than 250 employees, then you do not have to comply with as many regulations as larger businesses. However, an individual will always have the right to have their data deleted from your records in part or in full, regardless of the size of your business.
There are also other factors that could mean that your business is accountable under GDPR regulations and these include:
• If a business fails to report a breach of security to the ICO within 24 hours of its occurrence, or not more than 72 hours, they can be liable to be fined up to 2 per cent of their global annual turnover.
• If their data processing is routine, is likely to put the data privacy rights of an individual at risk or includes FCA protected data then they must comply with all regulations.
One common mistake that small business owners make is assuming that GDPR only applies to data that has been collected since it came into effect, but the regulations apply to all personal data, no matter when it was collected. Personal data includes personal home and email addresses, names and phone numbers, IP addresses, political opinions, sexuality, racial or ethnic origin, religious beliefs, criminal beliefs and more.
If you want to make sure that your business is doing everything it can to comply with GDPR regulations here are a few things that you should be doing:
Make someone accountable for GDPR – Most small businesses don’t put the resources they need into compliance. Appointing someone to ensure GDPR compliance will be taking a step in the right direction.
Carry out a data audit – Do you know where all your personal data is stored? Have you suffered a loss of data or is your data hard to collate? You are responsible for managing personal data and need to be able to locate it in order to comply with an individual’s right to be informed, erase and access data.
Take cybersecurity seriously – If you suffer a data breach you need to inform the ICO within 24 hours or face large penalties. Keeping your data safe should be something that is taken seriously within your business with cybersecurity a big concern for smaller businesses without a dedicated IT department.
Update contracts and privacy notices – Take the time to update your privacy notices and contracts to make sure they are compliant with the additional privacy rules of GDPR.