Agree with the decision or not, Brexit is very much happening, but does that mean small and medium businesses within the UK can now disregard the incoming General Data Protection Regulation (GDPR)?
The simple answer is no.
Until the UK finalises its divorce, which will be in April 2019 at the absolute earliest, every firm will have to abide by the GDPR in its entirety.
With some exceptions.
The implementation of the regulation, which will cause a massive shift in the way in which data is handled, is likely to hit Ireland hardest due to its more relaxed stance on data privacy, but every company will be impacted.
Data protection agencies, such as the UK’s own Information Commissioner’s Office (ICO), will gain new powers, allowing them to act against organisations throughout the world.
Thus, it is important that every SMB prepares well ahead of the new regulation’s 25 May, 2018 implementation date.
What is the purpose of the General Data Protection Regulation?
Back in 2016, the European Union legislature, though late to the party, decided it was time that the Eurozone should take data protection seriously.
Consequently, it passed new legislation that mandated standards around the collection and storage of personal information by data controllers and processors.
Though the main purpose of the new legislation was to encourage companies within the Eurozone to take data protection more seriously, it is as much a stick as a carrot, requiring businesses to abide by a strict set of rules.
What are the requirements of the General Data Protection Regulation?
The new regulation will apply throughout the European Union, affecting all businesses which have a responsibility for processing and/or storing personal information.
It aims to promote a uniform approach toward the exchange, storage and security of data between all the EU member states.
The entire scope of the GDPR is vast but there are some key points that all businesses need to be aware of:
- From May 2018, all data breaches must be reported to the ICO. Under ideal circumstances, notification should take place within 24 hours, with a requirement that such should take place within a maximum of 72 hours. This is a huge change versus the current situation in which data breach notification is largely optional outside of other existing regulatory requirements. Additionally, if the breach poses a threat to any individual’s privacy, they must be informed, too.
- Citizens of the European Union will have their data protection rights enhanced significantly. Going way beyond informed consent, the regulation affords additional protection in terms of the right to withdraw consent to data collection at any time, as well as the burden on companies of destroying data that is no longer permissible to use, or otherwise not required to be stored.
- EU citizens will be afforded the ability to exert a much higher level of control over their own data, including the ability to request it in a machine-readable format. This means firms could be asked to supply vast swathes of personal information to customers who will then take it to one of their competitors.
- For some larger firms and public authorities, a Data Protection officer will become a mandatory requirement. In broad terms, a company with 250 or more employees must employ a person who is responsible for ensuring that the business collects, processes and secures data in an appropriate manner.
- Businesses of all sizes can be punished far more severely than under existing legislation. The UK’s Information Commissioner’s Office has, at times, been accused of being largely toothless with its maximum fine level of £500,000 – which is rarely levied in anything but the most serious cases. Under GDPR, the maximum penalty for breaking privacy rules will rise to €20 million or a potentially much larger four percent of annual turnover, whichever is the larger.
The definition of personal data under the General Data Protection Regulation
In much the same way as the existing Data Protection Act, the General Data Protection Regulation mandates the way in which organisations must store and process personal data.
The fundamental difference between the two, however, is that the new EU regulation is far broader in its definition of what constitutes personal data, moving from a specific list of criteria to an all-encompassing notion that all information that could be personally identifiable is in scope.
What this means in practice is that the new regulation goes beyond obvious identifiers such as names and addresses and will now include more obscure information such as IP addresses and other ‘e-signatures’.
Is your business small enough to be exempt from the General Data Protection Regulation?
The good news for many SMBs is that the EU has recognized the risks are inherently lower in smaller companies. As such, they may not fall within the scope of the GDPR, though there are some caveats.
Article 30 of the incoming regulation stipulates that an organisation is exempt if:
- It employs fewer than 250 people, though that only remains so if it is not processing personal information in a manner that could pose any level of risk to those whose data it holds
- It does not process such data on a frequent basis, or involve specific types of data that receive special consideration, such as criminal conviction data
If that sounds confusing – and until an offender has to answer a case, it most certainly is unclear. The Information Commissioner’s Office has issued broad guidance stating that GDPR will likely apply to those companies that already have commitments under the Data Privacy Act.
How do you ensure your business is compliant with the incoming General Data Protection Regulation?
The good news here is that most companies that fall within the scope of the GDPR will already be well on the way to compliance because they will have already ensured they are in line with the requirements of the Data Protection Act.
If you are unsure whether your business needs to comply with the GDPR, feel it may need to do so in the future, or simply wish to act in an ethical or privacy-conscious manner, the following steps will set you on your way:
- Make a clear distinction between what constitutes business data and what could be considered personal information. Ensure that the latter is processed and stored securely.
- Ensure all such security measures are reviewed and assessed periodically and potential improvements identified and acted upon.
- Likewise, consider the use of regular Privacy Impact Assessments and act on the findings.
- If the size or nature of the business requires it, install a Data Protection Officer. Be aware that this requirement of the GDPR will lead to a flurry of recruitment in this area so act sooner rather than later to ensure compliance.
- Data breaches are a very real business risk so ensure your team knows what to do if one occurs. Have an incident response plan in place, along with business continuity and disaster recovery plans. Operate regular drills so everyone knows their role and make sure someone has a clearly defined responsibility to inform the ICO within the maximum 72-hour breach reporting timeframe.
- Lastly, carefully consider the pros and cons of obtaining privacy-related certification as a means of proving compliance with the GDPR. This area is still immature so ensure you conduct due diligence before trading cash for something that may have no real business value.
It’s time to take privacy seriously
Even if your business is too small to fall under the jurisdiction of the General Data Protection Regulation, you should consider aiming for compliance anyway.
For one, larger partners, affiliates, suppliers and customers may apply pressure to minimise their own risks as a data controller.
Not only that, the requirements are not overly arduous and represent good business practice. The cost of following them should not be too severe, while the damage to customer goodwill in the wake of a breach could be highly damaging if the opposite is true.
Thus, the General Data Protection Regulation is one EU rule that makes sound business sense, at least until the UK receives its decree in 2019, and most likely for many years afterwards.