On 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. As the most significant shake-up of data compliance since the Data Protection Act was made into law, businesses everywhere have been scrambling to get ready for these changes.
GDPR is “designed and intended to embody a data protection regime fit for the modern digital age”, Anya Proops QC, explains in a BBC article.
Under GDPR, businesses need clear internal guidelines for who's responsible, how data is processed and handled, and you need to have consent to keep the data you currently own. Data subjects - anyone legally identifiable as a person, not another company - are entitled to greater access and control of the data companies have than they do under the current legislation.
No Reason to Panic
Some companies, such as the national pub chain, JD Whetherspoons, have taken this panic to the extreme and deleted their entire database. Even MPs are struggling to understand how to implement, deleting constituency case files in response to training they've received in the House of Commons.
However, as many lawyers and IT professionals would say; there is no reason to panic. Naturally, companies want to avoid huge fines for failure to comply - in the event of a data breach - which can be as high as £17.5m or 4% of global turnover (whichever amount is greater). But deleting data, or spending a fortune on consultants isn’t a necessity.
The Information Commissioners Office (ICO) is the watchdog responsible for implementation and ensuring companies comply with the new legislation. They have a whole support team available to answer questions, and lots of useful information free to anyone who wants to know more about getting ready for GDPR. As does the Federation of Small Businesses (FSB).
One reason companies shouldn’t panic about the potential impact of fines is the message coming from the ICO. Elizabeth Denham, the UK Information Commissioner said: “We’re not going to be looking at perfection, we're going to be looking for commitment.” Policing this law only affects those that have suffered a serious data breach, or a company misusing consumer data when they’ve not got permission from data subjects.
“We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals,” she explained to the BBC. “The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime.”
Impact on Small Businesses
For most small businesses, it is worth checking if you need to register as a company responsible for data with the ICO. You can take a quick self-assessment to find out, and then if you do need to register, pay £35.00.
Next, if you have an email newsletter, or database you regularly contact, it’s worth verifying they still want to receive emails. This is why you may have received dozens if not hundreds of emails along the lines of: “I’m sorry to see you go”, to “Urgent: Take action NOW!” Using free email services, such as MailChimp - which has a template and automated process for this - you can quickly and easily confirm they still want to receive emails.
And finally, make sure internal processes and safeguards for receiving and processing data are as secure as possible. You might need to invest in GDPR training for staff, and potentially new security software.
In total, getting ready for GDPR shouldn’t cost small businesses more than a few hundred, or thousand pounds, at most. It may take a day or few days worth of time, depending how complex your data compliance challenges are. But none of this should present the sort of difficulties that many articles and commentators are claiming. The best thing you can do with data is review, make changes as needed, and keep calm and carry on.
Disclaimer: We hope you found the information in this article useful and informative. Please remember that this is an article and is no substitute for professional advice on taxes, your business or personal finances.