GDPR and small businesses
What is GDPR?
If it’s not something you have heard of already, it’s definitely something you will be hearing about over the next six months! The General Data Protection Regulation (GDPR) replaces the Data Protection Act (1998), and will apply to all organisations as of 25th May 2018. It’s focused on looking after the privacy and rights of individuals, and based on the premise that individuals should have knowledge of what data is held about them and how it’s used.
Why is this important for you?
Being a small business does not mean you are exempt from GDPR. All businesses need to be aware and take steps to get ready for GDPR.
- The fines – ignoring the GDPR or getting it wrong could have costly repercussions: organisations found to be in breach of the Regulation face administrative fines of up to 4 per cent of their annual global turnover or €20 million (whichever is the highest).
- Reputational damage – failing to get data protection right is likely to damage your reputation and stakeholder relationships.
Taking the time to properly prepare and comply with GDPR will mean your data handling, information security and processes are more robust and reliable, it could even give you a competitive advantage.
What are the main updates?
The 8 principles for processing information:
- fairly and lawfully processed;
- processed for specified purposes;
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date;
- not kept for longer than is necessary;
- processed in line with the rights of the individual;
- kept secure; and
- not transferred to countries outside the European Economic Area unless the information is adequately protected.
Consent – There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Employers will need to rely on one of the other legal grounds to process personal data.
Privacy notices – Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
- how long data will be stored for;
- if data will be transferred to other countries;
- information on the right to make a subject access request; and
- information on the right to have personal data deleted or rectified in certain instances.
Data Protection Officers – Businesses with over 250 employees will have to appoint a Data Protection Officer (DPO), to manage compliance within the business. Even if an organisation is not required to appoint a DPO, responsibility for compliance should be assigned to a specified individual.
Data breaches – Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
How to prepare/What help is there?
The Information Commissioner’s Office (ICO) have provided a 12-step guide for preparing for GDPR which can be viewed at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf. ICO have also launched a helpline to help SMEs prepare for GDPR, you can contact them on 0303 123 1113 – select option 4 to be diverted to staff who can offer support.
Look out for the Breathing Space HR webinar coming soon for a full guide to GDPR. If you wish to discuss how to get GDPR ready, please call us on 0113 386 9270.