The General Data Protection Regulation (GDPR) will replace the current Data Protection Act in May 2018. If you process personal data, it will apply to you. But how exactly could GDPR affect your business?
From new business responsibilities to the impact of time and costs, we explain the effect GDPR could have and what you should know so you can start preparing.
Different businesses store a lot of personal data, from banking information to phone numbers, emails and home addresses of their employees, customers, contractors and prospects.
GDPR will see individuals have more control over their own personal data. This means that when handling an individual’s personal data, you will have a responsibility, as a business, to meet their rights.
Individuals will have eight rights. These are:
To allow all of these rights, you should make sure your business has the right processes in place to respond and react effectively, without your company being affected. You can learn more about individuals’ rights in our article How to prepare for GDPR.
Many people class GDPR as an IT issue, which mainly concerns your computer systems and how you store personal data. This includes business processes such as how your client files and passwords are stored. However, it could also affect other processes across your business, from project management to networking.
Projects – When starting a new business project, you should consider data protection, such as if the project will involve information about individuals. If a project involves processing personal data you’re likely to have to conduct a privacy/data impact assessment to determine any possible risks and how they should be addressed.
Sales and marketing – You should make sure your sales and marketing processes are compliant with GDPR, such as opt-in-and-out rules, email marketing best practices and tracking online behaviour. Even if you use data from an outsourced company, you’re still responsible for getting the consent information.
Records – You must be able to prove an individual has given consent to receive communication from you, such as a newsletter. This includes an audit trail to show what they have opted into, how and when.
Security – You should ensure your business security systems is equipped to spot and react to breaches quickly, as certain breaches must be reported to the Information Commissioner’s Office within 72 hours. In some cases you also have to inform those individuals affected by the breach.
Networking – You should be cautious about how you collate information when networking. While you can still meet a potential client, ask for their business contact details and arrange to meet for a coffee, for instance, you can no longer then just add their details to your company mailing lists without compliance with the regulations.
Making changes to your business’s work processes to meet GDPR guidelines is likely to take time. This is time that would otherwise be spent developing other parts of your business.
You’ll also need to react quickly to an individual’s request to, for instance, access or remove their personal data from your records, stop their data being processed, or be provided with details of their personal data. Ensuring you can do all this is likely to be time consuming, which could affect a small business where time might not be available. It’s therefore important to start planning ahead now to make time available for any necessary changes to your processes.
Most small businesses will not have to appoint a Data Protection Officer (DPO). Determining whether or not you need to recruit a DPO isn’t about the size of your business or its turnover. It concerns you if you process vast amounts of personal data and what you do with it. Recruiting a DPO applies to a business if it:
Regardless of all this, you can still appoint a DPO. If your business is part of a partnership, you can also appoint a DPO to cover both companies. If you choose not to appoint one, you must still make sure staff are aware of GDPR, are trained and have the right skills to handle it.
If you do appoint a DPO, that person will be responsible for making sure the personal data processes, activities and systems in your business all meet the requirements of the law.
The changes you’ll have to make to your company for GDPR could have an impact on your business costs. These could include costs associated with the time you spend putting the necessary processes in place and costs to train your staff.. So it’s important to plan in advance and consider your business finances to ensure you can cover such costs.
Businesses need to comply with the new regulations or run the risk of receiving a sanction, including fines. Fines could be as much as 4% of your annual global revenue or €20 million, whichever is greater. This could be detrimental to your business.
GDPR could affect your business in many different ways, from taking on new responsibilities to give your customers new rights, to the time and costs needed to make changes to your company. So it’s a good idea to use a third-party expert to help do the work for you.
FSB members are supported with advice and guidance to develop simple step-by-step plans to prepare their business for GDPR and maintain compliance.
FSB Business Essentials members have access to:
To find out more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection pages. The services are included as standard with our Business Essentials package. Please take a look at our product comparison page to find out about the benefits of this and our other packages.
FSB Cyber Protection includes an insurance policy with cover of up to £10,000 and an unlimited use helpline to answer all your Cyber Security questions.