Data protection is a massive aspect of running a business. It covers multiple aspects of your admin, dealings with customers and processing of staff information.
General Data Protection Regulation, or GDPR, is a big change to how data is regulated and protected. Given the size of the changes coming into force, many business owners are understandably worried about the implications and impact it could have.
We explain some of the crucial elements around GDPR to keep in mind.
GDPR officially comes into force in May 2018. This means, as a business, you have time to ensure that your data protection is adequate and compliant before the new rules come into effect.
The full GDPR listing has 99 individual articles which determine how data is to be stored, accessed, protected and utilised.
The key areas to consider focus on data access, compliance, obligations and penalties.
GDPR provides the public with more power to access information being held about them, without needing to pay for a Subject Access Request (SAR).
Under the terms of the GDPR, the existing SAR fee is being removed in most cases, in favour of making requests for personal information free.
This means that whenever a member of the public asks a business or public body for their personal information, that information generally needs to be provided free of charge. There are some exceptions to this general rule, for example you can charge a reasonable fee for manifestly unfounded or excessive requests.
As a result, the new regulations allow people eight rights, which include to have their personal data erased in specific circumstances. This is often being referred to as ‘the right to be forgotten’ and arises in several situations for example:
The way data is held and governed also changes under GDPR. The level of accountability for businesses is greater and businesses should have clear processes and data protection documentation in place in order to remain compliant.
For most small businesses it won’t be a legal requirement to appoint a Data Protection Officer (DPO) but it will be beneficial to your business if you appoint someone that is responsible for your data obligations under the GDPR that is coming into force in May 2018. You are allowed to appoint someone outside your firm, e.g. a consultant, to be your DPO
A DPO should monitor and maintain GDPR compliance, liaise with staff and serve as a point of contact with the public and the Information Commissioner’s Office (ICO). This means that there will be someone responsible and in contact with people in the event of a data breach.
This also means that data security and confidentiality remains important. One of the major changes under GDPR, is the focus on data breaches. Businesses in the UK will need to report certain breaches to the ICO, the UK’s data protection regulator. In some cases businesses will also have to inform any individuals that stand to be impacted by a data breach.
A breach in data doesn’t just cover personal or financial details either. GDPR looks more broadly and covers data loss that can breach confidentiality agreements, or could cause reputational damage to someone.
Failing to comply with data protection law has often seen businesses hit with large fines, and the same will be true of GDPR. However, the fines for non-compliance and security breaches are significantly higher than the current penalties.
The new fines can vary depending on the infraction, or they can be assigned as a percentage sum of a business’s global turnover.
Stronger fines are in force to ensure compliance, and failing to prepare and maintain your GDPR compliance could have massive financial ramifications for a small business.
GDPR could affect your business in different ways, from taking on responsibilities to give your customers new rights, to the time and costs needed to make changes to your company. So it’s a good idea to use a third-party expert to help do the work for you.
FSB members are supported with advice and guidance to develop easy step-by-step plans to prepare their business for GDPR and maintain compliance.
FSB Business Essentials members can access:
If you’d like to learn more about how we can help your business with GDPR compliance, please visit our FSB Legal Hub and FSB Cyber Protection pages. The services are included as standard with our Business Essentials package. Please take a look at our product comparison page to find out about the benefits of this package and our others.
FSB Cyber Protection includes an insurance policy with cover of up to £10,000 and an unlimited use helpline to answer all your Cyber Security questions.