What is GDPR?
If you run a small business, there are four letters you must be aware of ... GDPR. That's because in May next year, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 that currently governs the processing, handling and storing of personal data.
This will have a major impact on many organisations that have previously been exempt from data protection legislation.
What is personal data under GDPR?
Under GDPR, Personally Identifiable Information (PII) has been redefined to include any data that is held about someone and which could be used to identify them.
This covers not just someone's name, address and phone number but also any of their genetic, health, cultural, economic and social details, as well as 'online identifiers' like cookies and the IP address of their computer.
GDPR regulations apply to all aspects of our lives, covering not just information relating to our private lives, but also our professional and public roles.
Who does GDPR apply to?
Any small business that processes the personal data of an EU citizen is potentially affected by GDPR.
Brexit will provide no escape route, as the government has already said it will incorporate GDPR principles into UK law.
Those with over 250 employees must comply with the new regulations. However, GDPR is so far reaching that many much smaller businesses with less than 250 employees will also be affected by its requirements including sole traders.
Why is it important?
Many think GDPR compliance is a security or IT issue. It's not. Its impact will be felt much more widely than that. After 25th May 2018, if your existing customer data was collected in a way that wasn't GDPR-compliant - and it almost certainly wasn't - you will not be able to use it.
Those in breach of the regulations could face financial penalties of up to €20 million, or four per cent of their turnover.
GDPR impact on small business
GDPR has game-changing consequences for many small businesses that hold any personal information about customers, clients or prospects. Even something seemingly as simple as networking at an event will be affected. So, if you get the contact details of a potential client at a meeting, you will no longer be able just to add their details to your company mailing lists without complying with GDPR guidelines.
This means all businesses will need to adopt a much more rigorous approach to data protection than ever before.
Right now, unless you have taken steps already, it's unlikely that any system you have in place for gathering any kind of personal information, whether online or offline, will be GDPR compliant.
Unfortunately, many small businesses aren't aware of their obligations and therefore not making the necessary preparations.
According to Shred-It's seventh annual Security Tracker research, an alarming 84% of small UK business owners were still unaware this summer of GDPR and what it might mean for them. That means millions of small businesses across Britain don't know what's about to hit them.
How small businesses can prepare for GDPR compliance
If you want to stay GDPR-legal as a small business, you have two choices. You can either go back to the customers and prospects you have on your database and - in a GDPR compliant manner - ask them to re-approve your use of their data.
Or, as many organisations are doing, you can delete the wealth of information you have already gathered and start collecting it again from scratch.
Embedding GDPR processes into your business is going to be time-consuming because you will have to design data privacy into all your systems and processes. For example ensuring your employees personal data is safeguarded in your payroll software. That means you will have to develop different ways of working and retrain staff so that everyone in your company knows and understands their new data security obligations.
You will also have to look at your current software to see if it will keep you GDPR compliant. That includes any accounting package you are using.
As it stands, if these won't allow you to completely erase personal data on request, or once it is no longer relevant, you will either have to reconfigure it so it can, or switch to another system.
The Information Commissioner's Office (ICO) has launched a helpline for small businesses who need help preparing for GDPR. They are also offering a 12-step guide to achieving compliance.
The six GDPR principles
To become GDPR compliant as a small business you need to embed six privacy principles into your business operations. These are:
- Lawfulness, fairness and transparency
- Purpose limitations
- Data minimisation
- Accuracy
- Storage limitations
- Integrity and confidentiality
Consultancy.uk wrote a great post that explains how each GDPR principle relates to personal data collection in simple terms. Alternatively you can read the official law here.
Small business GDPR compliance requirements
GDPR is designed to give individuals greater control over their personal data, as well as making it easier for organisations to do business across Europe by simplifying existing regulations.
However, in the short-term, it means that as a small business you will have to revisit many of your systems and processes.
If your business depends on processing personal information you will, for instance, have to appoint a Data Protection Officer (DPO) who is responsible for GDPR compliance. Even small companies with only 10 or less employees may have to do this if they process the personal data of thousands of people.
Opt in, not opt out
In any event, if you want to be GDPR-compliant, you now need consent to collect data from individuals and tell them what you are going to do with it. So, your clients will have to 'opt in' to what you're offering rather than 'opt out'. GDPR means no more using pre-checked options when collecting personal data.
You will also be able to use the data you collect for only one purpose. GDPR's 'unbundled' consent means you must tell people what you want data for and get separate permission from them for each different use. No longer will a one-off consent cover marketing, maintenance, fraud checks or customer support.
The right to be forgotten
Under GDPR, you will have to consider how much personal data you actually need from someone. After May 2018, you will only be allowed to take information that is necessary and relevant to the purpose for which it is intended.
That means accurately managing your databases so you know what information you hold, where it came from and who you have shared it with. When you no longer need the data you have collected, you must get rid of it from your systems as soon as possible.
Again, this will mean monitoring and managing your accounting software to ensure you are dealing appropriately with information about both current and previous customers and suppliers.
You will also need to comply with what is known as 'right to erasure', or the 'right to be forgotten'. This means that you will have to correct or delete any inaccurate data you hold about someone when they ask you to do so.
Cloud services affected
If you do share inaccurate personal data with other organisations, you will have to tell them of any inaccuracies so they can correct their records. So, if you employ a cloud-based accounting service, outsource your customer support, or use a SaaS application provider to store customer data, you will need to get them to change that information too.
GDPR will undoubtedly impose unwelcome new burdens on smaller businesses. However, Elizabeth Denham, the UK's information Commissioner, who is in charge of data protection enforcement, believes it is "an evolution, not a revolution" in terms of data protection. In less than a year from now, many business owners will be discovering whether or not she is right.
