What is GDPR?
The General Data Protection Regulation (GDPR) is replacing the Data Protection Act 1998 from 25th May 2018. GDPR will harmonise data protection laws across the EU and will update the current regulations to take full account of globalisation, and the ever-changing technology landscape. The Regulation will apply to any company processing the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour. Significant penalties can be imposed on businesses who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater. The level of fine will depend upon the type of breach and any mitigating factors, but they are designed to strongly penalise any businesses who show a disregard for the GDPR.
Does it affect me?
Small business owners often overlook legislation like this because it’s clearly aimed at larger businesses but in this case, everybody who deals with personal data of any kind needs to comply. If you have a business that has any data on individuals (even a phone number), you need to take action ASAP in order to be as compliant as possible by 25th May 2018. If you do any of the following, then GDPR probably applies to you:
Send out marketing emails;
Send a newsletter out;
Engage with customers that are an individual rather than a business;
Use Cookies on your website;
Use CCTV on your work premises;
Employ people.
What do I need to do?
There are too many things to consider when trying to become compliant with GDPR to list them all but the ICO has most of the information for small businesses here. However, there are a few procedures that are fairly universal to any business that holds or processes personal data:
Audit the data – Find out exactly what data you have, where you keep it, and how secure it is, making sure you don’t forget about back-up drives, cloud services, email providers or third-party software providers.
Register with the ICO – Most businesses need to register with the ICO (this will probably cost £35 per year). You can find out if you need to register here.
Check out your storage/software providers – If your software providers keep all their data in the EU then you shouldn’t have a problem as they will need to abide by GDPR too but anything you use that stores data elsewhere may cause you some issues.
Encrypt your emails and hardware – If you don’t already encrypt your emails, laptops or storage devices then you should probably start doing so. While GDPR doesn’t explicitly state that you need to encrypt, if your data is breached it’s going to be hard to convince the ICO that you tried to keep your data secure if you didn’t bother to encrypt it, so the fines could be more substantial.
Update/write your privacy policy – If you don’t have a privacy policy, write one and if you do, make sure you update it so that it complies with GDPR. You can find example privacy policies online and it’s very likely that you’ve received dozens of emails over the past month from companies who’ve just updated their policy. In some cases, if you’re part of a professional body, you can get a privacy policy from them for free that will be tailored to your industry.
If you have any further questions on GDPR then feel free to email us at team@focusaccountancy.co.uk or visit the ICO website.
