GDPR Guide for small businesses
November 24, 2017 | By vicki
The General Data Protection Regulation (GDPR) aims to bring consistency to European-wide data protection laws and safe-guard consumer data in this age of constant connectivity and social media.
This new legislation is focused on giving consumers more control over their data and increasing the accountability of organisations.
Non-compliance is not an option
No matter how small your business, you must comply with regulations for secure data collection, data storage and the use of personal information.
Don’t think for one minute that you can continue to use spreadsheets, these will not support the requirements of GDPR as they make it difficult to find and link data which will place you at risk of a breach under GDPR.
Far greater penalties
GPDR will be much stricter in what is deemed as personal data. What’s more, breaches will incur penalties far larger than those currently in place under DPA.
The new fine will have an upper limit of €20 million or 4% of annual turnover – whichever is higher. The “whichever is higher” is the key phrase for SMBs, as you could be financially ruined by a breach.
According to NCC Group, the Information Commissioners Office (ICO) issued fines in 2016 amounted to £880,500. Under GDPR this would have been £69 million, 79 times higher.
Individuals can claim compensation
You also need to be aware that individuals affected by a breach can sue you for compensation. So, if recent ransomware attacks didn’t spur you into taking robust antivirus and cybersecurity measures, then GDPR and its associated fines certainly will!
If dealing with data is a routine occurrence within your organisation, you need to abide by GDPR. The ICO state that any businesses affected by the Data Protection Act (DPA) will also fall under GDPR.
GDPR as an Opportunity
The ICO has also stressed that the upcoming changes should be seen as an opportunity for a fresh approach in reviewing and building on current data protection measures.
Another plus to the introduction of GDPR is it will shield your business’ reputation further by forcing you to be responsible in the protection of your data, making it more diffcult for hackers and attacks.
It will also add strength to the supplier chains you are part of, larger organisations will almost certainly demand GDPR compliance from the partners they choose to work with – so being a strong link within that chain is vital.
Manage data in accordance with best practice to retain and gain business whilst protecting your reputation.
In a perfect world all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework, but that’s just not reality as each individual employee could have an average of say 10GB of unstructured data, with around 10% of that containing Personally Identifable Information (PII).
The 10 GDPR changes you need to know about
The way you record contact data and the consent provided from the data subject/individual will change significantly. You must collect and hold informed, specific and ongoing consent for all types of data processing and direct marketing activities as consent cannot be assumed. When and how consent was given should also be recorded in a way that it is quick and easy to nd, should a request be placed. Plus, new rules will also dictate how long you can store contact data forLegal basis for processing contact data – You cannot process contact data if you do not have a legal basis for doing so. The legal basis will also need to be adequately documented.
Principle of “accountability” applies. Businesses will need to be able to adequately “demonstrate” compliance with data protection principles.
Transparency. Privacy policies, notices, etc require full details and need to be written in transparently so that they are understood by all.
Subject Access Requests (SARs) – new rules will apply when contacts request details on the data you hold on them.
Right to be forgotten – data contacts can request all data on them be fully withdrawn.
Appointment of a Data Protection Officer (DPO) – many SMEs will be exempt from this but someone needs to be responsible for the management of data to ensure compliance with GDPR.
Mandatory data breach notification procedures – required to be in place under the GDPR for all businesses to notify local regulators, such as the ICO, and, in some cases, data subjects/individuals of a breach within 72 hours.
Portability and erasure of data – not easy for a small business to undertake as data tends to be scattered across network folders, databases, mobile devices, individual PCs etc, so you’d have a tough time trying to retrieve all data on one contact.
Third party requirement – more likely to bite SMBs as they don’t tend to have a dedicated IT Team, they therefore rely on third party data handling services. If services like cloud-based backup, third party order processing, outsourced customer support or SaaS application providers are storing and processing your data they are Data Processors that need to meet GDPR regulations.
Data Protection Impact Assessments (DPIA) – required by GDPR for data processing activities, including monitoring activities, to continuously assess privacy compliance.
Key considerations around data collection and processing
When collecting or processing personal data your organisation, as well as your suppliers that handle data on your behalf, must apply these key points:
- Process data lawfully, fairly and transparently
- Only collect data for explicit and legitimate purposes
- Data must be relevant and necessary for processing
- Keep data up to date and accurate with processes in place
- Keep identifiable data only if necessary for processing
- Protection for children requires parent/ guardian consent to process their data
- Ensure you are equipped to satisfy SARs within set times
- Keep all data secure
How to prepare for GDPR and what to look out for
To help prepare we suggest taking the following actions:
- Allocate a budget and assign responsibility for data protection to an individual.
- Undertake an initial Data Protection Impact Assessment (DPIA) immediately as these are required under GDPR on a regular basis and/or as and when required
- Consider current policies and procedures and whether these meet the obligations imposed under GDPR
- Ensure all employees understand personal data and what they need to do with it as data protection is a business-wide concern
- Prepare well in advance. Devise a plan for data management and GDPR compliance by January 2018. Start examining the types of breaches your business maybe exposed to and manage the risks
- Make sure you can satisfy data SARs as individuals have the right to request their personal data in a commonly-used, machine-readable format, provided free of charge and within one month. One solution is to consider providing contact facing online options via your website for consent, requests and withdrawal of data to avoid data management becoming a manual drain – make your systems work for you
How we can help:
IASME (Information Assurance for SMEs) Governance Accreditation is a straightforward and cost effective alternative to ISO:27001 that incorporates UK Government backed standards for Information Governance, baseline IT security and GDPR Readiness.
Once certified you receive badges that you can place on your website and communication to reassure your supply chain that you will not expose them to any undue security or GDPR risks.
In our capacity as an IASME accredited certification body, we can help you achieve your certification quickly and effectively. We offer a range of competitively priced IASME Packages to suit your budget, timeframe and level of experience.
Prices start from just £400.