GDPR (General Data Protection Regulations) has received lots of attention in the media over the past couple of weeks, but that doesn’t mean you shouldn’t be doing something about it. GDPR is still very much a big deal for SMEs. Businesses throughout Europe need to make changes to how they collect, store and monitor data of all types.
For those who may have forgotten…What is GDPR? GDPR will come into effect on 25th May. Developed by the European Parliament and European Council to replace the 1995 Data Protection Directive, the EU’s GDPR website says the legislation has been designed to ‘’harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy’’. To be fully GDPR complaint, a business must not only protect consumer and employee data but also provide a number of simple ways to control, monitor, check and delete any and all information about them.
Under GDPR, non-compliance could land businesses with a large financial penalty that can reach €20 million or 4% of annual global turnover (whichever is greater). The Information Commissioner’s Office (ICO) has the power to execute penalties on a discretionary basis and each breach will be assessed on a case-by-case basis. The ICO created a phone service in November ‘17 to help small businesses prepare for GDPR to provide support and advice on how SMEs can implement GDPR procedures.
When it comes to GDPR compliance, it’s important that any department or employee that has involvement in processing data must be made aware of the implications of GDPR. The person responsible for a business’s data protection should develop training sessions or create resources that can be made available to the wider team.
Whilst it may seem like an administrative nightmare for employers, the onset of GDPR ironically presents a unique opportunity to improve engagement and communication with staff and customers by gaining buy in and consent.
We’ve had a number of clients come to us and ask, What do you need to do to be compliant with GDPR? So to prepare your business, here are our top tips to get ready;
- Make sure the right members of your company are aware of the regulations
- Find out exactly what information you hold on your clients/customers and where this data came from
- Update your privacy notices to include the length of time you intend to keep the data
- Review how you gather clients/customer consent to use their personal information
- Decide who will be responsible for data protection in your business
- Get ready to detect, report and investigate any GDPR breaches
When a personal data breach has occurred, you need to assess the severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO, if it’s unlikely then you don’t have to report it. If you decide you don’t need to report the breach, then you need to be able to justify your decision.
With so much information out there, organisations should do their research to understand what the legislation means for them and not assume that they aren’t affected. For more information about GDPR, contact your local Champion office.