Here, Tom Torkar, partner at law firm Michelmores, takes a look how small UK businesses can get ready for changes to General Data Protection Regulation, offering advice to owners unsure of its implications.
The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up in data protection and privacy law in over two decades. Coming into force on 25 May 2018, the regulations are the culmination of four years of lobbying and debate in Europe.
The GDPR updates the Data Protection Act 1998. It introduces concepts and requirements that better reflect the data processing that is carried out in an increasingly digital world.
More data is being collected than ever before and individuals are increasingly conscious of privacy issues. GDPR puts best practice on a statutory footing.
In light of this, the GDPR requires organisations to be more transparent; providing individuals with greater rights to hold organisations to account.
What’s more, the fines that will be imposed for breaches of the GDPR are significantly higher than before, rising from a maximum of £500,000 to €20m or four per cent of global group turnover (whichever is higher).
The triggering of Article 50 and Brexit does not mean that the GDPR will not apply.
The GDPR will come into force well before the UK leaves the EU and it is likely that organisations will have to comply with similar rules after the UK leaves, given that the UK will still wish to trade with EU member states which will still be subject to the GDPR.
So, what practical steps should you be taking now as you work towards compliance?
- Review and document the mechanisms that you use to collect consent from data subjects.
- Ensure that the GDPR is on your Board or management team’s agenda and that sufficient resources and budget are allocated to GDPR compliance.
- Create a breach notification procedure to ensure that appropriate breaches are identified, considered and notified to the ICO within 72 hours.
- Deliver GDPR training for your employees. This should be carried out before May 2018.
- Review your existing contracts and make any necessary amendments.
- Ensure that personal data is processed in easily well-structured, secure and searchable databases so that you can handle data subject requests efficiently. Be aware that data subjects have enhanced rights under the GDPR.
- Appoint a data protection officer if required or, if not required, appoint someone in the company to deal with data protection issues.
- Identify if you transfer personal data outside the UK and, if so, review these arrangements to ensure you are GDPR-compliant.
- Schedule regular GDPR review meetings throughout 2017 and 2018 to ensure that you are on track with your GDPR compliance plan.
It may be that as you read this checklist you feel overwhelmed. There is no need to panic – there is still time to prepare for GDPR. If you’re in doubt about what you need to do or know, seek professional advice.
Don’t be daunted – organisations that meet current requirements are well-placed to comply with the new rules and whilst the GDPR presents challenges, it should also be seen as an opportunity.
Your customers are increasingly privacy literate – embracing the changes introduced by GDPR will increase trust and strengthen your brand.
For further advice on how to prepare for new General Data Protection Regulation within your small company, take a look at these 15 considerations to have better data and device protection
Tom Torkar is a partner at Michelmores
Sign up to our newsletter to get the latest from Business Advice.