Big companies have been spending millions to comply to the EU General Data Protection Regulation (GDPR) before they become law on May 25, 2018. But how should small businesses be preparing for GDPR without dedicating entire departments of employees to do the job?
“The EU General Data Protection Regulation (GDPR) … was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” ~ GDPR Portal
In addition to organizations within the EU, the GDPR applies to orgs “outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects,” according to FAQs on the GDPR Portal. “It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
With less than three months to go until the regulations come into force, the GDPR compliance advice in the media is coming thick and fast and, in some cases, creating a sense of panic — especially about the huge fines that could squash a small business.
Don’t panic. Prepare.
Those massive fines you hear about will only be levied if you’re in serious non-compliance with GDPR regulations — which adequate, thoughtful preparation will help you avoid. Read on to get up to speed and find out about preparing for GDPR.
What exactly is GDPR?
Again, GDPR is the EU’s General Data Protection Regulation, which comes into force across the EU and the UK on May 25. It will be consequential for any business that collects, processes and uses personal information. The ripples will be also be felt by businesses across the world if they work with the EU and UK — one big chain reaction.
GDPR is billed as the “most important change in data privacy regulations in 20 years.”
The estimated cost savings of this unified law is currently estimated at $2.3 billion per year. The bottom line is that businesses will simply have to collect personal data more securely.
GDPR is a good thing for individuals and brands.
We all know how unnerving it is to have your personal data shared without our consent. The law is catching up with the digital world and protecting the individual. The GDPR’s “right to be forgotten” gives affected individuals the power to ask for access to their personal information, or for it to be deleted.
Last year, our National Health Service (NHS) was hit by a cyberattack, plus there was the Equifax data breach — just two of thousands of organisations and businesses attacked by cyber criminals. In fact, 2017 was dubbed “the year of the cyber attack.”
GDPR will ensure an organisation has put proper protection in place to secure personal data.
Encryption is mentioned in the regulations, but a ransomware-specific antivirus product is also a good idea.
Editor’s note: GoDaddy Website Security, powered by Sucuri, (the Deluxe Plan) includes a Web Application Firewall (WAF) that intercepts and inspects all incoming data and automatically removes any malicious code.
Preparing for GDPR — Q&A
Let’s address some of the common questions that crop up when preparing for GDPR.
Can’t I just ignore GDPR?
Put simply, no, you can’t. A business is a business, no matter how small and these measures will apply to everybody. There is, however, a difference between the types of record-keeping duties between small and large businesses.
Having fewer than 250 employees in your company means you must have records of your data processing activities, if the data relates to criminal offences or someone’s privacy rights.
Those with more than 250 employees must keep much more detailed records, but as a small business, you might still have to keep in-depth files if you are dealing with highly sensitive or personal information. You are only exempt if you only process personal information from EU residents sporadically.
Do I really need to employ a data protection officer for my business?
Maybe — it all depends on what personal information you collect and the amount of data, rather than the size of your business. A group of organisations can employ one data protection officer, as long as that officer is wholly available when needed to the demands of all the organisations.
What about fines?
Now to the nitty-gritty — the fines. The fines that can be given under GDPR are eye-wateringly large:
- The fines levied on those who don’t adhere to GDPR are up to two percent of an organisation's annual turnover, or €10 million, whichever is higher.
- That rises to four percent of turnover, or €20 million, whichever is higher on breaches of people's personal data.
The “whichever is higher” is the crucial phrase for a small business, as the impact of this could fold the company.
However, these fines are only for serious breaches. The Information Commissioner's Office has reassured businesses that they will not be making any early examples by leaving hefty fines for mistakes, “preferring the carrot to the stick.” The fines are simply there to reflect the importance of personal data privacy. Fines must also be “proportionate” (i.e., if you make a breach, but you made every effort to adhere to GDPR, you won’t receive a large fine).
What do I need to do to ensure compliance?
Just last month, the London Chamber of Commerce and Industry said that according to their survey, one in four London businesses are still unaware of GDPR, so there will be plenty of companies still to take action. Of the same group, one in five said their business would like to prepare for GDPR, but need to find out more about it.
The key is to take action now to save on last-minute panic.
- Locate, record, and discern what personal data you process. Understand who sees it and shares it.
- Establish a process that fits in with GDPR regulations, which is transparent to the person giving you their personal information, so that they give their consent with the correct information.
- Make sure that you can alert the protection authority of a data breach within 72 hours.
- Make sure that you can delete, change or transfer personal data on request, within one month. The transfer request might be to another organisation.
- Hire a data protection officer if your company processes personal data on a large scale.
Time is now running out for businesses to get things in order in time for the GDPR deadline. However, by preparing for GDPR now, you will be in a good position when the date arrives.
With one third of Brits saying they are planning to exercise their “right to be forgotten,” any preparation done now will enable you to roll your sleeves up and get on with it in the spring.
GDPR is not only good for the individual, but it could also benefit your business by building another level of trust with your customers. GDPR is inevitable, so now is the time to embrace it.
The above content should not be construed as legal or tax advice. Always consult an attorney or tax professional regarding your specific legal or tax situation.