SO does GDPR affect small- to medium-sized companies? The only answer is YES.
The EU General Data Protection Regulation (GDPR) is for every company that uses or processes data. And no, just because we are leaving the EU doesn’t mean that you can ignore it.
Currently, the UK has the Data Protection Act 1998, which was passed following the 1995 EU Data Protection Directive, but this will be superseded by GDPR. It introduces tougher fines for non-compliance and breaches, as well as giving people (not just customers) more say over what companies can do with their data.
I see this as an evolution of the Data Protection Act and it should be deemed as such. It will be a lot of work for some companies but it should be seen as a good thing to implement for your customers.
With regards to the tougher fines there’s a new Data Protection Bill being put forward by the UK government.
This replicates the requirements under GDPR for the long term, and once the bill is passed it will help to clarify the regulations for protecting data when the UK leaves the European Union, by creating a British version of GDPR.
Just like GDPR, it sets out sanctions for non-compliant organisations, and the Information Commissioner’s Office (ICO) will be able to issue fines of up to £17 million, or four per cent of global turnover, whichever is higher, as opposed to €20 million and four per cent of turnover under GDPR while we are in the European Union.
Very effective team
Small businesses and organisations in the UK have until May 25, 2018 before the law actually applies to them. While I am neither a compliance team member nor a regulatory boffin, I do spend a lot of time reading articles, regulatory drafts and information. I’ve also attended a lot of webinars that give me advice on anything that may affect First Response Finance. We have a very effective compliance team here but I know that I need the awareness.
I’ve learnt a lot recently and I’m still digesting GDPR, as well as the new e-Privacy Regulation drafts that have recently been
released, and I’d advise that you do the same and turn this advice into output quickly. There’s a lot to take in and get your head around but it’s worthwhile.
You will need to act now and also involve others, aligning all departments to get this right. GDPR touches most departments
from HR, training, IT and marketing to sales, account management and customer services, so you will need to get complete buy-in from around your business.
Even as a small business you’ll need to work on a data audit and map all the data you hold. Even if you haven’t got multiple departments, you may have multiple sources, multiple storage locations, multiple types of data capture and multiple companies that you send data to. By mapping out all of this data and documenting it you will have started the process.
The ICO is a risk-based regulator, but if you get a complaint you’ll need to be able to show why you do what you do with your data and what your policies and procedures are. This needs to include what you hold, why you hold it and what gives you the right to use it.
There’s a lot more to do, so make sure you get advice from a specialist third party.
Who is Ben Garside? Ben is marketing manager for First Response. Call him on 07817 518739 or email firstname.lastname@example.org