The General Data Protection Regulation will be enforceable in the UK in exactly six months, on the 25th May 2018. The legislation is bringing a much needed update to the way businesses must deal with personal data, including that of their employees. This has led to many small businesses frantically assessing the way they handle and process their data. Amid which, too much room for subjectivity has been left, resulting in confusion for the majority.
In an attempt to sort the fact from the fiction, here are five things that every small business should know about GDPR and how it will affect their company.
GDPR is going to make a big impact
Despite its general name, GDPR is going to have a big impact on small businesses. If you hold and process personal information, you have a legal obligation to protect that information. The Data Protection Act states you must;
- only collect information that you need for a specific purpose;
- keep it secure;
- ensure it is relevant and up to date;
- only hold as much as you need, and only for as long as you need it; and
- allow the subject of the information to see it on request.
Therefore, small businesses will be tasked with reviewing their data handling and processing practice with a view to ensure being GDPR compliant when the regulation goes live in six months time.
As with any other legislative breach, businesses can expect to face a penalty if the regulations set out by GDPR are not followed. A personal data breach is defined as being ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ Larger fines for a serious breach will be up to 4% of an organisation’s annual worldwide turnover or €20 million, whichever is greater.
Potential increase in SARs
Research has found that approximately 2.9 million people are likely to submit a subject access request to their employer following the introduction of GDPR. This comes as an attempt to allow employees to exercise their right to be informed, increasing transparency between employers, employees and their personal data. To help ease the backlash that a high volume of subject access requests can have, it is recommended that businesses turn to technology, like HR software, to store employee data rather than relying on manual processes which are too high risk.
Its an update of previous legislation
The GDPR will supersede an existing data protection legislation, the Data Protection Directive (DPD), which was put in place in 1995 to regulate the processing of personal data in the EU. At this time, Google hadn’t even launched, so it’s clear that the data protection policies need a refresh, which is exactly the intention of GDPR.
It will still apply after Brexit
Despite Britain’s plans to leave the EU, GDPR will still apply. After all, Britain will still be members of the EU in May 2018 when the statute is activated, therefore it’s imperative businesses do all they can to comply. To that end, even on the completion of Brexit, the much debated withdrawal bill will see all EU regulation affecting the UK transferred on to the British statute book.
UK information commissioner, Elizabeth Denham comments: “I acknowledge that there may still be questions about how the GDPR would work in the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018,” she said. “ We’ll be working with government to stay at the centre of these conversations about the long-term future of UK data protection law and to provide our advice and counsel where appropriate.”
It is vital that small businesses prepare for GDPR compliance. The six month countdown has now begun and being aware of the new regulations and what they mean for your business is crucial.