In April last year, the EU (European Union) parliament finally agreed to replace the Data Protection Directive 95/46/EC with the EU General Data Protection Regulation (GDPR).
Designed to ‘protect all EU citizens from privacy and data breaches,’ the GDPR ultimately strengthens and harmonises data protection laws for individuals within the EU. It will become fully enforceable throughout the European Union from 25 May 2018.
So, what does this mean for small-to-medium (SMB) size businesses in the UK? Here are some common questions and answers about SMBs and GDPR.
Fact: GDPR applies to anyone who provides good or services to (or monitors the behaviour of) people in the EU.
The GDPR doesn’t just apply to organisations located within the EU; it extends to any business that offers goods or services to people in EU countries. If your company processes or holds the personal data of any person residing in the European Union, you’re bound by GDPR - regardless of your location.
Will GDPR still apply to UK businesses after Brexit?
Yes, absolutely. The UK government has confirmed that it will implement GDPR regardless of the decision to leave the EU. This confirms that UK businesses will need to become GDPR compliant by 25 May 2018.
‘I was compliant with the previous Data Protection Directive, so I have nothing to worry about.’
Although GDPR retains many of the privacy principles set out in the previous directive, many changes have been made to it. This means that even if you met the requirements of the Data Protection Direction 95/46/EC, you may not be compliant with GDPR.
You can review a full summary of the changes here.
It’s important to note that GDPR is substantially different from the previous directive, and that it is a regulation - not a directive! A directive is a legislative act that sets ‘goals’, while regulation is a binding legislative act that is applied and enforced in its entirety.
What are the penalties for non-compliance?
Businesses can be fined up to €20 million or four per cent of annual turnover for breaching GDPR. This is the maximum fine that can be imposed for serious infringements, like violating privacy laws or not having the required consent to process data.
In general, the EU will take a ‘tiered approach’ to fines. For example, a business can be fined two per cent of turnover for not notifying authorities and customers about a data breach. It’s important to be aware of your compliance requirements and reporting obligations, and to make sure that you have the right security measures in place to ensure you’re not fined or penalised for negligence and non-compliance.
What can my business do to prepare for GDPR?
There are several practical steps every SMB can take to prepare for GDPR:
- Review privacy policies. Get them up to scratch and ensure that privacy policies, procedures and associated documentation are compliant and up-to-date. Data protection authorities can ask to see these at any time, and so can your customers.
- Implement a data breach notification process. Review your breach detection and response capabilities, and implement a (documented) incident management process. You will be fined if you fail to notify relevant authorities about a data breach, even if you have protective security measures in place.
- Get your security and privacy controls up-to-scratch. Enforcing good security and privacy measures as part of your business systems and process is necessary for meeting the ‘privacy by design’ requirement. It will also make your overall security posture stronger, which is good for business growth.
This is just the tip of the iceberg; there’s a lot your business can do to prepare for GDPR. If you’re not sure where to start, review this summary of the regulation by the Information Commissioner’s Office so that you understand the scope of GDPR and how it applies to your business.
Get a hand with GDPR
UK SMBs should also enlist the help of an IT partner to help prepare for GDPR.
Why? An IT partner can review your overall preparedness and help you with the finer details like developing an IT security policy, data protection or how to keep data safe in an overseas office. Their advice and attention to detail can help you avoid hefty fines for non-compliance, and also help your business improve its overall security and privacy controls.
Any more questions?
If you’d like to know more about GDPR or how an IT partner can help you prepare, let us know in the comments or email us at firstname.lastname@example.org.