Is Your Business Ready For the General Data Protection Regulation?

  • Posted

If not, you are not alone: according to a report from Ipsos Mori, one in four UK businesses are not currently aware that data protection laws are about to change and nearly one in two have failed to start preparing for the enactment of the General Data Protection Regulation (GDPR) in a year's time.

What SMEs need to know about GDPR

The GDPR comes into force on 25th May 2018. These European Union rules (which the UK government will implement despite Brexit) have been described as the biggest ever overhaul of data legislation.

The legislation applies to any SME that is targeting consumers in the European Union and holding or transporting data relating to them.

Some of the key obligations under the GDPR for SMEs include:

  • showing how and why the business obtained the personal data that it is holding;
  • holding evidence that each individual gave their unambiguous consent to their personal data being held and used in the way that the business uses such data; and
  • ensuring that each individual’s data can be deleted without undue delay.

The GDPR will give individuals the right to ask companies to supply additional information about the personal data gathered about them – businesses will have to respond (without charge) to a subject access request within one month (rather than the current 40 days) and supply information including the envisaged period for which the data will be stored and how the individual can request erasure and rectification of their personal data.

How do you ensure that your business is compliant?

As the GDPR may involve substantial changes to existing compliance strategies and arrangements SMEs should start their preparation now.

The Information Commissioner’s Office (ICO) has created a webpage dedicated to guidance on the GDPR: https://ico.org.uk/for-organisations/data-protection-reform/.

8 Top Tips:

  1. Take the time now to plan ahead. Create awareness among the senior decision makers in your business in connection with the new GDPR.
  2. Review existing data protection policies and practices including employment contracts, staff handbooks, employee policies and subject access request communications.
  3. Carry out an internal audit to ensure that you have clear records of all of your data processing activities – recording where data has come from and who it is shared with.
  4. Review privacy notices and put in place a plan for making any changes to comply with the GDPR.
  5. Develop and implement a data breach response plan (including designating specific roles and responsibilities, training employees, and preparing template notifications) enabling you to react promptly in the event of a data breach and complying with the data breach reporting obligations in the GDPR.
  6. If you operate an online business, you should start to consider how you will verify a young person's age and how you will obtain parental or guardian consent, where necessary.
  7. Review any existing data processing agreements and ensure that whoever has data processing obligations will have a duty to comply with the additional obligations set out in the GDPR.
  8. Consider whether to appoint a data protection officer with expert knowledge of data protection – in some cases it may be mandatory to do so.

Failing to comply will be costly

Substantive penalties can be imposed on SMEs that breach the GDPR, including fines of up to €20m or 4% of annual worldwide turnover, whichever is greater.

IBB's commercial lawyers can keep your business on the right side of the GDPR obligations. If you would like advice on the new regulations or any of our other services please call on 01895 207264 or email corporate@ibblaw.co.uk.