Introduction
We are fast approaching the May 2018 enforcement of the GDPR – General Data Protection Regulation. Just more red tape for business? Well yes and no. With so much of our data out there and 90% of Europeans wanting a consistent level of protection, it is understandable to have one harmonized set of rules.
For companies trading across multiple counties dealing with a maze of different laws, is costly and time consuming to administer. So, harmonizing makes a huge amount of sense.
However, for small businesses, there will be a new level of compliance, which will take some adjusting to. If working from home, how do you look after paper client files? What extra precautions do you need to take sending data? What are the penalties for noncompliance?
What is GDPR
Since 2012 the EU has been preparing for and developing a single set of rules for data protection. In 2016 Regulation (EU) 2016/679 and Directive (EU) 2016/680 were adopted by EU member states with a 2 year period for application to local laws. From the 6th of May 2018 the Directive will apply and from the 25th of May for the Regulation.
The two pieces of law provide greater levels of protection, control and transparency for individuals when their data is being used. This applies to any data transferred in, out and within the EEA*.
Penalties
This will be the rub for small business. Any reported breach can be very costly and neither of the two levels of fine are ideal. The first penalty is set at is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. That’s right even if your turn over is £80,000 a year, you could face a fine up to £10 million!
This lower threshold comes into play when businesses do not fulfil their obligations under the regulation such as not subcontracting correctly, not appointing a data controller, not reporting breaches when required and a host of other obligations.
The second tier is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
This gets triggered for breaches over international transfer, basic principles of data processing and non-compliance with order imposed by supervising authorities.
I don’t trade in the EU so why bother?
Brexit or no Brexit, if you are a UK based company trading outside of the EEA, you will be bound by the new regulators from May 2018. If you are storing consumer data within the EEA, you are bound.
This potentially goes for some non-EEA based company. Especially if they have outsources any part of their business to a EEA based supplier which handles consumer data, or trades with EEA based customers.
Finally, with more companies storing data in the cloud, where these servers are based, could have an impact.
Personal data
No matter how many box’s you tick to say you don’t want your data going to 3rd parties, we all still get junk mail, unsolicited emails and annoying sales calls. The new regulations are set to protect you further.
You should be notified when your data is being used and you can ask for that data to be deleted or changed etc. There are further entitlements which can be found through search engines and the links provided below.
What next?
1. Don’t wait until May 2018 to comply. Start your journey now
2. Understand the data you are collecting from customers – do you need all of it?
3. Are you getting written consent from customers to collect their data?
4. Have you updated the terms on your website if you collect data from here?
5. How are you disposing of paper documents- do you have secure shredding?
6. Review your IT infrastructure. Is equipment encrypted? Where are your servers based?
7. Appoint a data controller and make sure they know their responsibilities
8. Seek professional guidance, contact your local enterprise board, trade organisations, accountant, lawyer etc to source a data audit and review of your business needs.
*European Economic Area and includes Iceland, Norway and Liechtenstein.
