By 25 May all businesses across Europe must comply with the new EU regulation, which aims to streamline data privacy laws. And with the deadline looming, business leaders and managers haven’t got long to prepare, with hefty financial penalties facing those that fail to do so.
Despite this, a YouGov poll at the end of 2017 revealed that just 22 per cent of small businesses had started taking action to implement these changes. Here we outline a checklist for bosses to ensure they are fully prepared.
Who must comply?
GDPR will be applied to all businesses which deal with data, whether employing five people or 500. Any business which processes personal client data will need to comply with the incoming regulations.
It is a common misconception that smaller businesses do not need to comply with this regulation. All businesses that handle private data need to be prepared by May 25, if in doubt contact a GDPR expert and get urgent assistance.
What actions should you take?
It is essential that businesses are fully prepared. Here the legal expert suggests top tips on what action businesses must take.
Identify your personal data: One of the first steps is to identify what data you actually process. Information which identifies, or could lead to the identification, of an individual is considered personal data. This includes names, addresses, identification numbers and online identifiers. Once this is established, the next step is to record how it was captured, how it is held, how you use it, and where it is going.
Impact assessment: Companies which handle a high volume of data, particularly in sensitive professional fields, should undertake a data protection impact assessment. This assessment could help to identify any potential issues which could cause a high risk if their data is revealed.
Consent: Where a business is reliant on consent when handling personal data, greater care must be taken. Requests for consent must be entirely transparent and cannot be hidden among small print. As such, SMEs which are reliant on consent must be able to prove how they obtained it after GDPR comes into effect.
Policies and systems: Data protection must be considered across all aspects of the business, with online systems and policies designed with this in mind. It is crucial that in a digitally-driven age that online systems can protect personal data, with highly effective security measures in place.
Individual data rights: Individuals whose data is being processed now have greater rights over how it is used. These include the right to access all data held on them; refuse the use of their information for additional purposes; and to ask for the data to be completely deleted under certain circumstances. Under GDPR the individual must have their rights met within one month.
Fair processing policies: Businesses need to include more explanation, in easily understandable language, in fair processing policies. These policies will now need to thoroughly outline the legal basis for using personal data, with greater consideration taken to the purpose for which data is being used.
As GDPR widens the scope by which businesses need to protect data, some aspects of the EU regulation are certain to be overlooked. However, it is imperative that businesses are well-versed on all the new guidelines and comply with them accordingly. Here areaspects of the EU regulation which could be overlooked:
Data breaches: Under the new regulation a data breach covers a far wider set of intentional and accidental circumstances. Rather than simply relating to hacking or loss of information, the GDPR defines this as the loss, unauthorised disclosure, accidental or unlawful destruction of information, which is processed, transmitted or stored, either electronically or on paper.
Putting thorough guidelines in place to help staff recognise and report a data breach is vital, especially as a breach must be reported to the Information Commissioner’s Office within 72 hours.
Supplier terms and conditions: Many small businesses rely on third-party contractors and suppliers as part of daily operations. Some of these contractors may be responsible for processing data for your company, as such they too must be considered when preparing for GDPR.
Failure to comply penalties
Fines and penalties for failing to comply with GDPR are likely to be far steeper than under the current regulations. Depending on the severity of the breach, companies could face fines up of to £500,000 or four per cent of total turnover. This may vary for SMEs which cannot pay out extensive fines without facing closure.
Stephen Clarke is senior partner at CJCH Solicitors and CEO of CJCH Consulting