The GDPR changes all small businesses need to be aware of by Sarah Scholfield, solicitor at Manchester based Glaisyers
When it comes come into effect on 25th May 2018, the General Data Protection Regulation (GDPR) will turn many organisations upside down as they struggle to bring themselves up to the standard required by the new regulation. Particularly as new research shows that a worrying 84% of UK small business owners (in addition to 43% of senior executives of large companies) are currently unaware of the forthcoming changes.
What is the regulation?
The result of four years of planning amongst EU member states and other interested parties, the GDPR is intended to bring greater strength and consistency to the protection of all EU citizens from privacy and data breaches.
Currently, EU data protection laws stem from the Data Protection Directive which was implemented in different ways by EU member states back in 1995. In the UK, the Directive lead to the introduction of the Data Protection Act 1995 (DPA). However, difficulties have arisen over the years as a result of the differing approaches adopted by each member state, and rapid developments in technology. The GDPR is designed to both update and harmonise the legal framework across the EU. The Government have been clear that the UK’s exit from the EU will have no impact on the introduction of the GDPR.
What will this mean for small businesses?
Those businesses who already have solid data protection and privacy processes in place are unlikely to see significant changes under the GDPR. For example, the concept of data controllers (who control how and why data is processed) and data processors (who act on behalf of the controller) will remain similar. Likewise, the definitions of personal data and sensitive personal data will see only extensions in the definitions to include things like online identifiers (e.g. IP addresses).
However, that said, there are some important changes small businesses need to be aware of prior to the GDPR’s introduction next year.
- One of the most important relates to the issue of consent. Under the DPA, one of the grounds on which businesses can rely to justify processing personal data is consent. At the moment, we operate a system of presumed consent in relation to personal data with individuals being given the opportunity to opt out of any processing of their personal data. Explicit consent is only necessary for sensitive personal data. Under the GDPR however, organisations will need to obtain express consent to the processing of any personal data, effectively requiring data subjects to actively opt in. This means pre-ticked boxes; silence or inactivity will not suffice.
- The GDPR will introduce a strict data breach notification process which will require businesses to report any breach within 72 hours unless the breach is unlikely to result in risk to the individual(s) concerned.
- There will also be changes made to the subject access request (SAR) regime. Under the DPA organisations can charge £10 for responding to a request and have 40 days in which to respond. Under the GDPR, generally organisations will be unable to charge and the timeframe will be reduced to one month.
- The GDPR will also see a marked increase in potential fines which, along with strict deadlines which attach to certain obligations under the GDPR relating to reporting breaches and responding to SARs, is likely to surprise small business owners. Under the DPA, a data controller or data processor can be fined up to £500,000 in respect of any breach. Fines under the GDPR however will be based on a two-tier system with businesses being fined up to either 2% of worldwide turnover or 10 million euros (whichever is the greatest) or 4% of worldwide turnover or 20 million euros (whichever is the greatest). The level of fine will depend on the nature of the breach.
- The GDPR will give individuals the right to ask businesses to delete their personal data in certain circumstances, for example asking a search engine provider to remove results that are outdated or irrelevant. This is known as the right to erasure or the right to be forgotten. However, it is not currently clear how this right will work in practice as it could present significant difficulties for some businesses.
How can small businesses prepare?
The first thing businesses need to be doing is disseminating information about the GDPR among their senior decision makers. It is essential people are aware of the key changes in advance of the new regime which may mean providing additional training where necessary.
In brief, businesses should:
- Audit and document the personal data they currently hold, making a note of where it came from and who they currently share the information with.
- Review their current privacy notices. The GDPR requires businesses to include certain additional information in their notices including, for example, the data subjects’ right to complain to the Information Commissioners Office (ICO). The ICO has published a Code of Practice which sets out the new requirements.
- If a business relies on consent, they should review how they obtain and record that consent. Under the new regime businesses will need to be able to demonstrate that consent has been freely given which will require them to produce clear records.
- Consider how they will report any data breaches to ensure they meet the strict 72-hour deadline. Businesses should think about putting in place a clear notification procedure so individuals within the organisation know how to report any breach.
- Depending on their size and administrative resource, businesses should consider appointing a specialised Data Protection Officer to take responsibility for compliance and circulate the message with the rest of the business. In some circumstances, this will be mandatory.
- In terms of SARs, the GDPR vastly decreases the amount of time organisations have to respond. In view of this, businesses should review their processes now to ensure they will be able to respond to requests within the new one month timeframe.
- Consider whether it is even necessary to process personal data. If so, consider anonymising the data reducing the businesses exposure to the GDPR.
With less than a year to go, it’s crucial that all businesses begin to take a proactive approach in preparing for the forthcoming GDPR, now.