The European Union’s GDPR (General Data Protection Regulation) Act will come into force at the end of May. Many business owners in the United Kingdom have yet to prepare themselves for this new regulation, and others do not know what it exactly entails. In this post, we shall explain what GDPR means for owners of small to medium sized enterprises.
GDPR: What Does it Entail?
GDPR will be introducing much stricter data protection laws and give EU citizens much more control over how businesses use their personal data. In the UK, GDPR will replace the Data Protection Act that was brought into law in 1998. The reason for the implementation of this law, is to deter big companies like Amazon and Facebook from offering their services for free, in exchange for the personal data of the user. The current scandal that has been dominating the news over the past month – the Cambridge Analytica files – is a prime example of a case that could have been avoided through GDPR. If a business is found to be in breach of this data, it could lead to a fine of up to 20 million Euros.
Citizens of the EU now have the right to request companies to delete their personal data. “The right to be forgotten” is an important part of this legislation, as you now must comply with the wishes of ex-customers who do not want their personal information in your database. This only applies to customers who have no binding contract with you anymore.
As the United Kingdom is leaving the European Union, the UK parliament has drafted a similar law entailing the same regulations to ensure the safety of personal data will be protected beyond Brexit.
Why is GDPR Important for Small Businesses?
Contrary to popular belief, GDPR also applies to business that have less than 250 employees. If your business processes personal and/or sensitive data, such as a customer’s name, details address or bank details – the GDPR also applies to your company. You must know where that data comes from, what it exactly entails and if you have a good reason to be in possession of that data.
GDPR seems like a minor measure but failing to comply can have profound consequences as stated earlier. From fines and compensation claims, to a shattered reputation due to an administrative error: GDPR can turn into a nightmare for you and your company. On the other hand, implementing this correctly can lead to great advantages for you in the marketplace. Proving to your clientele you are indeed compliant with these laws, shows that you are a company with integrity. Growing your target demographics trust can be of excellent value to your business in the short term, but also in the long term.
GDPR For Small Businesses: A Checklist
Keeping compliant with GDPR should not be an issue for most companies that value privacy and sensitive data. However, this list should give you an indication of the standards necessary.
- Are you relying on consent to process personal data? If so, you need to ensure that this is clearly translated to the customer. Instead of “passively agreeing” – for example; “by using our service you agree to….”, you must now actively request an agreement from your customer, and only be able to gain their data by gaining a clear yes.
- Having the right security measures in place could go a long way in preventing fines and compensation claims. Encrypting your data could be a measure to implement to mitigate that risk.
- Ensure you have an access request system that allows your clients to access their data within a time frame of a month. You will also need to provide “Fair Processing Notices” to customers. That means you need to clearly communicate with each customer what you are planning to do with their sensitive data.
- Train your employees to report serious breaches within 72 hours. Having a collective understanding of the new regulation could go a long way in preventing possible security breaches.
- Get to know your suppliers and contractors. A personal data breach on their side could impact your business as well.
- If you are a business, and your activities involve regular tracking and processing of sensitive data, you might need to employ a Data Protection Officer (DPO). If you are unsure if you need to employ a DPO, the Information Commissioner’s Office website has a great checklist to help you.
At the Financial Management Centre, we are committed to performing accounting and bookkeeping work in a correct and ethical manner, especially when it comes to privacy and sensitive data. Are you in need of an accountant and/or bookkeeper? Contact your nearest The Financial Management Centre today for more information.