The GDPR deadline is looming. Are you prepared?
07 Mar 2018
The General Data Protection Regulation (GDPR) has been introduced by the European Union to update and harmonise data protection practices across the EU. It will apply to all EEA countries and any individual or organisations trading with them. The regulation comes into force on 25 May 2018 (before the UK leaves the EU), so UK individuals and businesses must ensure compliance with the new regime before that date.
Whilst the eight principles still apply, there are there are big changes for businesses which urgently need to evaluate their client data - how it is stored and processed, who it is shared with and how it is collected. But, as the regulation concerns all EU citizens data, many businesses will need to include employees as well as clients.
Under GDPR, business leaders must be aware of the following changes:
Data processors – must now maintain records and are directly liable if responsible for a breach.
Data controllers – new obligations including a duty to ensure that your contracts with processors comply with the GDPR.
Accountability principle – you must show how you comply eg. document what you have done and why.
Privacy impact assessments – must be carried out to assess the risk to individuals' rights, for example, when using new technology.
Higher standards for consent.
Enhanced rights for individuals, including the right to be informed, object and be forgotten as well as rights regarding access, rectification, erasure, restrictions on processing, data portability and automated decision-making.
Data protection officer – not mandatory for all organisations but an appropriately senior individual must be responsible for GDPR compliance.
The duty to report a breach quickly will apply to all and failure to report will result in a fine.
Increase in maximum fines (4 per cent of global annual turnover).
Real Business* spoke to Abby Blackmore, head of operations at SME creative digital and social agency Impero, to find out how she is preparing for the switch:
Why is data protection important for a business’ reputation?
“Data and its protection has changed so much since the old data protection rules were written. With the growth of the internet and computers in general, we now have more data than ever at our finger tips. Whilst we can’t fathom doing our jobs without this huge cloud of data, it means we are much more open to data breaches.
“It is important to be on top of your data protection as clients and employees are now much more aware of the importance of their data and its safety and it is a very important responsibility they have trusted us with. I think companies need to show that they have taken that responsibility seriously – fines or no fines.”
How do you keep on top of data protection for employees?
“At Impero we regularly review that our HR software is compliant, and that knowledge of employee data is available only to those who need it. Keeping the circle of access tight, and the software top tier, allows us to be sure we are keeping privacy protected.”
How do you ensure that you are compliant with GDPR?
“GDPR feels like a huge beast when you initially look at it, with far reaching consequences. The first step, as with any big looming project, is to break it down into more manageable buckets of work, prioritising them, and just working slowly but surely to a good place.
“Once your initial audit is done, you inevitably find that you are actually already compliant in a lot of areas, and others just need tweaks rather than massive overhauls. Breaking through the stigma and fear of how big this change feels is the first step.”
GDPR and Brexit
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective of whether or not the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has however indicated it will implement an equivalent or alternative legal mechanism.
At Beavis Morgan, we understand the challenges faced by business owners. We work with many small and medium sized businesses across a wide range of industry sectors, guiding them though the various stages of business life from start up to exit and all the challenges in between. If you have any concerns relating to the matter of data protection, we are able to put you in touch with companies within our extensive network of contacts who will be able to assist. It’s part of our commitment to supporting SME businesses by providing a holistic suite of business advisory services.