Why small businesses should get ready for the GDPR now

David Wood, IT Director at FDR Law discusses GDPR

Recent research shows many UK businesses ignore company policies around confidential data. One in 12 office workers (eight per cent) has had access to confidential information that they should not have had, and nearly a quarter (24 per cent) admit to storing work information in the public cloud even though they are not permitted to, potentially jeopardising personal data.

All businesses must comply with data protection laws, but as technology and the way information is used has developed, so has the law. With the General Data Protection Regulation (GDPR) coming into force in May 2018, businesses will soon be subject to large maximum fines for certain data protection breaches, making the adoption of robust data protection policies and practices a priority. Here, David Woods, IT Director, at FDR Law, explains what you need to know.

What is the GDPR and how will it affect my business?
The result of four years of planning amongst EU member states and other interested parties, the General Data Protection Regulation (GDPR) is designed to give EU residents control of their personal information, and provide a simplified way to monitor the use of this data within businesses. In short, people should be able to see exactly how and where this information is being used. The Government have been clear that the UK’s exit from the EU will have no impact on the introduction of the GDPR.

The regulation must be observed by all organisations, regardless of size or current location, who are the controller or processor of data belonging to an EU citizen. However, many SMEs may find that due to the type and volume of data they process, they will have reduced their risk to within the lower tier of fines. That said, with this set at ten million Euros, it is still a considerable concern for smaller firms.

Organisations with over 250 employees will also need to appoint a specialist Data Protection Officer to oversee all their data processes, police the organisation, and liaise directly with the ICO. On the face of it, this may give the impression that many UK small businesses will be exempt from this requirement. However, it isn’t quite that simple. A business must still comply if it’s involved in regular “processing” of certain categories of personal data - including health data, criminal data, data pertaining to minors, information on racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation – and is legally taken to include the collecting and storing of as well as actually using, said data.
Another stumbling block to compliance is that there is currently an international shortage of qualified candidates for the DPO role. Fortunately, the guidelines stipulate this can be an external appointment, and may also be purchased into the organisation as a service. Given this, many SMEs may want to utilise the option to take a voluntary DPO on board. Those companies that are not required to take a mandatory DPO may make a voluntary appointment; this is seen as the most efficient and effective way to discharge your comprehensive GDPR compliance obligations.

While explicit consent is currently only necessary for sensitive personal data, under the GDPR organisations will need to obtain express consent to the processing of any personal data, effectively requiring data subjects to actively opt in so that companies can prove the data was given willingly and openly. An important note here for smaller organisations who may not have considered it before, is that this consent also has to be documented for your historical data so now is a good time to start to ask for consent. In addition, with organisations no longer be able to rely on third parties to safely store or process their consumer data on the basis of ordinary assurances, IT departments will need to ensure that Cloud vendors storing, securing and processing data comply with the GDPR’s new and stringent requirements.

The GDPR will also introduce a strict data breach notification process which will require businesses to report any breach within 72 hours unless the breach is unlikely to result in risk to the individual(s) concerned. Currently, a data controller or data processor can be fined up to £500,000 in respect of any breach, but the new regulation will see fines based on a two-tier system with businesses being fined up to either 2% of worldwide turnover or 10 million euros (whichever is the greatest) or 4% of worldwide turnover or 20 million euros (whichever is greatest), depend on the nature of the breach. 

The GDPR will also give individuals the right to ask businesses to delete their personal data in certain circumstances, for example asking a search engine provider to remove results that are outdated or irrelevant. This is known as the right to be forgotten.
Put in the groundwork now

With the regulation promising to take its toll on businesses through the revision and implementation of new processes and procedures, company IT teams will be required to carry out in-house evaluations of their data protection processes and policies.
Here are seven things small businesses could do now to pave the way for a smoother transition:

1. Consider whether it is even necessary to process personal data. If so, it may be worth anonymising the data reducing the businesses exposure to the GDPR.
2. Audit and document all the personal data they hold, making a note of where it came from, what they use it for, and who has access to it both within the organisation, and externally. Do a mini risk analysis of all your data, and be prepared to do a full DPIA (Data Privacy Impact Assessment) on any data deemed to be high risk or sensitive.
3. Review current privacy notices. The GDPR requires businesses to include certain additional information in their notices including, for example, the data subjects’ right to complain to the Information Commissioners Office (ICO). The ICO has published a Code of Practice which sets out the new requirements.
4. If your business relies on consent, review how you obtain and record that consent. Under the new regime businesses will need to be able to demonstrate that consent has been freely given which will require them to produce clear records.
5. In the event of a personal data breach, the Regulation requires organisations to notify the authorities within 72 hours of becoming aware of the exposure so it’s important IT teams have an effective cyber incident response management plan in place for how your company will respond to a data breach quickly and effectively. Considering how they will report any data breaches within the strict 72-hour deadline.
6. Appoint a specialised Data Protection Officer to take responsibility for compliance and circulate the message with the rest of the business. As stated, this needs to be a qualified individual, but they can be externally appointed, and this is an effective way to mitigate your risk of a larger fine.
7. Ensure your paper-based documentation is handled and destroyed securely. Paper and physical data can be one of the biggest areas of loss and theft. Review your current cyber security, and ensure firewalls, encryption, and so on are robust.

With less than a year to go, it’s crucial that all businesses begin to take a proactive approach in preparing for the forthcoming GDPR now. The sooner you can implement the new system, the easier it will be to transition.