Data protection and privacy: How should SMEs prepare for GDPR?
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a new legal framework to be introduced in all EU member states from 25 May 2018 to create a harmonised data protection framework.
Why has it been introduced?
Current legislation, including the UK’s Data Protection Act 1998, was put into force before online services and cloud technology were widely used, so key points about protecting people’s data were not covered.
GDPR will give individuals more control over the use of their personal data and clearer guidance to organisations on how people’s data can and should – and should not – be used.
It also explains what ‘personal data’ means: this can be ‘any information relating to an individual, whether it relates to his or her private, professional or public life,’ including names, contact details, IP addresses, social media accounts, medical information and bank details.
Who does it affect?
The GDPR broadly applies to SMEs in the same way as larger organisations, with some small exceptions, so it is important to understand the scope and implications of what is required.
GDPR is also applicable to people or organisations outside of the EU offering services or products to, or recording data of, people living within the EU.
What should I do?
All organisations must make sure that personal data is processed lawfully, transparently and for a specific purpose. There are several practical steps that organisations can take now:
- Appoint a Data Protection Officer to take responsibility for GDPR compliance. This could be a current member of staff or a new full-time role depending on the amount of sensitive data.
- Document current data and the way it is processed, including how and why it was obtained, how it is recorded and who it is shared with. Also consider how securely it is stored and potential privacy risks, particularly if data is passed to third parties.
- Seek consent from anyone whose data is held or processed. Individuals need to explicitly opt in; consent cannot be inferred through silence, inactivity or pre-ticked boxes. Organisations must record when and how an individual gained that consent, which can be revoked at any time. If organisations collect data about children, they will need consent from a parent or guardian. Age verification might be necessary in certain circumstances.
- Plan how to respond to requests about personal data. Individuals have the right to check what information you have about them, including why you have that data, how long you have had it for and who has access to it. They can ask for it to be changed or deleted at any point – usually referred to as ‘the right to be forgotten’.
- Develop a data breach response plan so that response to a breach is prompt and efficient. Those whose data has been breached should be informed about it as soon as possible, and the ICO should be informed of any breaches within 72 hours.
- Raise awareness of GDPR throughout the organisation. Anyone holding or processing personal data should be aware of the regulations and what they need to do to be compliant.
What if I don’t comply?
If organisations breach the regulation, they will face huge fines: up to €20 million or 4% of your global annual turnover, whichever is higher.
Cyber security has been covered extensively by the media in the past few years, so they could also face negative coverage and reputational damage.
What about Brexit?
As it applies equally to organisations around the world storing data about people living in the EU, organisations with interests in EU member states will have to comply with the regulations.
The UK will remain a member of the EU for two years after formal notice of Article 50 is given or until negotiations are completed, so organisations must comply with the regulations. It is likely that the GDPR will be written into UK law even after Brexit, with similar or the same data protection requirements.
All organisations are advised to plan for GDPR coming into effect and to ensure ongoing compliance.
For further information or guidance, please contact:
Partner and Head of Employment
T. 020 7227 7410
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.