In 2017 99% of the UKs 5.5 million businesses employed 250 employees or less. In fact, the usual definition of SMEs is any business with fewer than 250 employees. This small business grouping is often further defined as Micro-businesses when they have 0-9 employees. (Source: www.parliament.uk)
Why are these numbers so important? Well, the chances are that you either own, run or work in a business that falls within these employee ranges, and more importantly, there’s a massive change in the data protection legislation, which will impact all businesses – public, private, large, small or micro. Large corporate and public sector organisations are in full swing making changes. Are you?
If you’re interested in hearing how this will impact you as an owner or an employee of a business read on.
Why is the GDPR important, and why should you care?
Well, the last EU data protection law was in 1995, and the world was different them.
For example, we had no Google or Facebook, Blackburn Rovers were Premier League Champions, Braveheart (directed by Mel Gibson, was the darling of Hollywood), and Iomega Zip Drives were used widely (ever so briefly as I recall) as portable storage. Oh! And the George Foreman Grill came into being. Mind you, it’s still dope, right?!
Essentially, the law is changing so that the individual has greater protection from organisations, and more say in how their data is collected, stored and secured. In addition, it will provide companies with a simpler legal environment, and will introduce more stringent compliance requirements.
That said, the real big practical impact to businesses is the potential for a shift in company culture, responsibility and processing. In short, the more disorganised your business is the more likely adhering to this law will hurt.
What does the GDPR stand for, and what does it mean for UK businesses?
GDPR stands for the General Data Protection Regulation (GDPR), which is also known as the EU GDPR, and the Data Protection Act reform.
In short, it is the replacement of the Data Protection Act 1998.
It’s an EU law, which is about the regulation for the protection of personal data.
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). So, ‘natural person’ is a living human being, and ‘data subject’ is someone whose data you have.
It should be noted that the regulation covers both digital, and manual (paper-based, unstructured) systems.
Who does the GDPR apply to?
The new law will apply to any organisation (‘Data Controller’ or ‘Data Processor’) that processes personal data, which belongs to individuals (‘Data Subjects’) within the EU.
Some key terms here for context:
- ‘Data Subject’: this is a customer, client, patient, prospect or suspect – any ‘natural person’ (a living individual).
- ‘Data Controller’: this is an organisation (business) that has a relationship with a ‘Data Subject’, and “processes” their personal data. The controller will determine the manner or purpose for processing the ‘Data Subject’s’ data. For example, all organisations that employ staff are ‘Data Controllers’. Also, if you capture or use customer/client data to provide a service/product, it’s very likely your organisation is a ‘Data Controller’.
- ‘Data Processor’: a 3rd party organisation/supplier that works on behalf of a ‘Data Controller’ and processes personal data on their behalf. For example, an outsourced Human Resource payroll or Cloud Service Provider.
One final thing, GDPR applies to any organisation (Controllers and Processors) in the EU irrespective of where processing takes place. For example, is a company based in the US markets or provides a service or product to even one person who resides in the EU they will have to comply with the law.
When does the GDPR become law?
25th May 2018.
The Information Commissioner’s Office(ICO) has stated that:
“Regardless of your size […] If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation coming into force next year, those fines could be a lot higher.”
Note: The ICO is the UK ‘Supervisory Authority’ whose role it is to assess if organisations are using appropriate measures to protect personal data, and to enforce compliance with the regulations.
How do businesses prepare for the GDPR, and the steps required to be compliant?
WOW? This is such a big question. The short answer is to start by going to the ICO website. They have a 12 step process to help organisations become compliant.
Here are a number of practical activities, which we have shared and delivered to our clients. They should help you on your way. Remember, the focus of the GDPR is to identify where your business processes personal data, and take the appropriate measures to protect it, and ensure your clients,, prospects etc know.
- Register your business with the Information Commissioner’s Office (ICO) https://ico.org.uk/for-organisations/register/ (Not sure if you should register, then take the online test (approx. 5 mins) https://ico.org.uk/for-organisations/register/self-assessment/)
- Treat your General Data Protection Regulation (GDPR) changes as a business project. As a result, you’ll need to allocate the appropriate resources (people, technology, finances etc) to ensure your success.
- Create or/update your Risk Register. Add your GDPR risks to this list.
- Wherever you start, the implementation of the GDPR requirements will be a business transformation. However, once in place it will become business as usual, rather like health and safety (e.g. requiring annual audits and tests once in place).
- Don’t forget your manual records. Filing cabinets, box files etc. Are they locked away securely?
- Make a list of all your business processes, which use personal data. Suggestion: break them down into business functions, and ensure you include input from key personnel/suppliers.
- Make a list of all your suppliers where you exchange personal data. Establish if you are the Data Controller or the Data Processor in the relationship. Once known, you will need to undergo an exercise to update your current contract(s) and/or put contracts in place. This is a key GDPR requirement. PRO TIP: Reach out to a legal professional that specialises in data protection law.
- Consult your HR Specialist. Employee contracts and enrolment processes will need to be updated and reviewed as part of your GDPR project. This is another key GDPR requirement.
- Carry out a Data Inventory. Enter each business process through the workbook, and complete to the best of your ability. This can be an onerous exercise. However, once you conquer this. It will reveal most of the gaps in your business, and provide you with the opportunity to mitigate any major risks. Keep this up to date as this is one of the key documents the ICO will ask for if you are investigated. PRO TIP: Assess business processes as they really are, not as you think they should be.
- Embed a risk-based approach to your business. Start assessing risk from the perspective of the Data Subject (Client, Customer, Patient, member, Prospect, Suspect etc.). If you introduce a new system, carry out a Data Protection Impact Assessment (DPIA).
- Implement or/update your Subject Access Request (SAR) process. Remember, under the GDPR this needs to be done within 30 days.
- Introduce a new process to manage data portability. If a Data Subject asks to close down their account with you and move to a competitor. Create a process to fulfil this requirement.
- Create Breach Response Plans. For example, would anyone in your business know what to do if your business had a ransomware attack? You have 72 hours to inform the ICO/Data Subject.
- Update your Privacy Policy. Once you have successfully completed your data inventory, revised/implemented your SAR process etc. this will inform you how best to update your privacy policy.
- Train Staff. Ensure your employees and suppliers are given the necessary support to do their job.
- Keep records. And ensure they are up to date. This will serve to demonstrate your compliance. Your Data Inventory, risk register, records of staff training, SARs processes etc are a few items that would fall into this category.
- If in doubt! Get help! The ICO website (https://ico.org.uk/) is a great resource, however, can be overwhelming. It often works out cheaper to hire professional assistance for your project.
- Create a list of your current marketing activities. Understanding where and how you market to your clients, prospects will allow you to complete your data Inventory.
- Make a list of all the software applications you use to run your business. Understanding what apps you use will help you successfully complete your Data Inventory.
- Determine if you require a Data Protection Officer (DPO). It will not be mandatory in the vast majority of cases for small businesses to hire a DPO. However, it is recommended that someone in your business has responsibility for data protection. Rather, like Health and Safety. This role can be sub-contracted out to a specialist company like ours to carry out this role.
Next Steps
Work through the activities highlighted in the “how” section of this post, and I would also love to invite you to schedule a free 30 minute GDPR consultation. We’ll find out about your business, and outline the key activities you’ll need to undertake to demonstrate accountability.
Schedule your appointment with the button below.