As a small business, you probably heard about the new General Data Protection Regulation taking immediate effect on 25th May 2018. The new legislation will replace outdated Data Protection Regulation (1998) modernising EU’s approach to modern technology and data protection. This article looks at key points of GDPR for small business and how to ensure you don’t fall short of the new law covering the use and storage of personal data.

Let’s first answer a question that many UK business owners ask, namely how will Brexit affect the implementation of GDPR? The simple answer is it won’t. On 21st of June 2017, UK government unveiled plans to carry on with the implementation of EU’s GDPR into the UK law, ensuring the country’s data protection framework is suitable for the contemporary digital age. Furthermore, all UK companies employing EU citizens will have to comply with GDPR after 25th May.

GDPR and smaller businesses

Article 30 states GDPR for small business will not strictly affect organisations with fewer than 250 employees. This will depend on what kind of data you are storing. You should consider how regularly you process and store personal data and whether or not you supply it to a third party for marketing purposes, for example. It’s important to note that the regulation refers to any personal information held about past or present staff as well as your clients and customers.

GDPR for small business: key points

The primary idea of GDPR is to extend individuals rights over how companies collect, store and use their data. Here are some of the key points of GDPR for small business owners:

GDPR applies to companies with fewer than 250 employees if the business is handling information on individuals’ health, genetic and biometric data.

Companies with more than 250 employees or handling sensitive information will have to appoint a Data Protection Officer ensuring personal data is handled correctly all the time.

ensuring personal data is handled correctly all the time. A data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

Businesses have to get an individual’s consent before using their data by providing an ‘opt-in’ feature.

Parental or guardian consent will also be required for any use of data of a child, aged 13 or under.

Individuals will also have ‘the right to be forgotten’ by withdrawing their consent or asking for their data to be removed.

Individuals can request to correct any inaccuracies or delete their data altogether.

Enforcement

GDPR is introduced to protect the data of EU citizen and ensure companies comply with it. Under DPA, the ICO can levy fines of £500,000 for data misuse or breach. The main GDPR shift is the substantial increase in fines for organisations that do not comply with the new regulation or fail to report a data breach. The regulators will now have the authority to issue major or minor penalties for violations of record-keeping, data procedures and privacy impact.

1) Up to €10 million, or 2% annual global turnover – whichever is higher.

2) Up to €20 million, or 4% annual global turnover – whichever is higher.

ICO (Information Commissioner’s Office) will consider a few factors in deciding the level of a fine including data breach duration and number of people affected; any action taken or not taken by the organisation and the type of personal data involved.

Next steps

Make sure that you have a policy in place for data use and retention. According to the new GDPR companies must have in place a justifiable reason to store data for longer than needed. Data store and processing must be done through a secure connection and all devices used must be encrypted. Organisations are responsible for ensuring they comply with their obligations under the GDPR. Not only will they need to keep records to prove compliance, they’ll also need to ensure they have policies in place governing the collection and use of that data. Make sure that all your employees understand GDPR and are trained in data safety because authorities could consider a single email to a wrong recipient for a data breach.

Get GDPR Ready with Apex

City & Guilds Accredited eLearning

Accredited eLearning Updated content

Develops Data Safety knowledge Instantly available course

Completed in 60 minutes

Subject Access Request game Interviews with legal experts

Interactive content

Certificate for your CV