A new data privacy law will be introduced in May next year and here I take look at the key things every small business in the UK needs to know. The new law is called the EU General Data Protection Regulation (GDPR) and is a complete overhaul of the legal requirements which much be met by anyone involved in handling personal data of EU citizens.
The stated aim of the regulation is to give citizen’s greater control over what can be done with their personal data by businesses. This will be enforced by large fines – up to 20 million euros or 4% of a company’s global turnover – for non-compliance.
The regulation must be observed by any organisations with more than 250 employees, which on the face of it may give the impression that many UK small businesses will be exempt. However, it isn’t quite that simple. A business must still comply if it’s involved in regular “processing” of certain categories of personal data, which legally is taken to include collecting and storing as well as using data.
These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation.
What are the effects for a small business?
In brief, the new legislation will mean that companies which need to be GDPR compliant will have three new responsibilities.:
- The first is to appoint a designated Data Protection Officer. This person will need to be adequately skilled (or trained) and have an “expert” level understanding of the organisation’s responsibilities regarding the GDPR.
- Businesses will have to comply with strict new laws around reporting theft or loss of personal data under their control. Any such loss must be reported to the national data protection authority (in the UK, the ICO) within a maximum of 72 hours, and preferably within 24.
- Changes have been made around the notion of “consent” – the clause which allows many uses of personal data – such as processing identifying information – if the person who the data belongs to has agreed to it.
Consent must now be explicitly given for this information to be used – by users opting in to allowing it, rather than simply neglecting to opt out. This will be applied retroactively – meaning data previously gathered without meeting the new standards of “consent” can no longer legally be used. Privacy policies will have to be updated as there is a requirement that companies make individuals aware of their new rights under the GDPR.
What should UK businesses do to prepare for GDPR?
The truth is that a lot of the obligations placed on businesses by the GDPR are “common sense” and should already be common practice among companies with solid data privacy and protection processes in place.
We know this is not always the case – companies large and small often make mistakes or missteps when it comes to personal data – and penalties for doing so will now be far higher.
The first step for many companies will be to appoint someone to the position of Data Protection Officer. It’s worth remembering that this doesn’t have to be a full-time employee and depending on the size of the company or the amount of data handled, some may choose to outsource this.
Businesses now have an obligation to make individuals aware of their rights under the GDPR as part of the data collection process, and this is likely to mean many privacy policies or T&Cs will need to be updated.
Clear plans should also be put into place for what should happen in the event of a breach. This will mean having a thorough understanding of what data within your organisation counts as “personal”, where it’s kept, who has access to it, and how to spot breaches when they occur, as well as who it must be reported to.
Another important step will be reviewing the consents that were given when data was collected. If it was collected under “opt out” or other mechanisms which are invalidated by GDPR, an organisation is automatically open to prosecution if they continue to use this data for any purpose where consent is legislated as necessary.
Most importantly – start thinking about all of this sooner rather than later! Whether it is due to confusion over Brexit or not, many UK companies are being slow to digest the implications, and implement the changes, of GDPR. May 2018 is fast-approaching and regardless of how closely the UK’s own legislation eventually mirrors GDPR, UK businesses will be operating under EU law for at least a year after that.