Whatever side of the Brexit debate you sit on, it is becoming increasingly likely that the UK will no longer be part of the EU from the end of October.
This presents an array of challenges – and arguably opportunities – for small and medium-sized enterprises (SMEs).
However, one key aspect that business leaders must be aware of is GDPR and Brexit and how leaving the EU will affect their operations in terms of data security.
See also: GDPR one year on: what fines have been issued so far?
What the government says you should do
Guidance from the Information Commissioner’s Office (ICO) has confirmed that whether we leave with EU with or without a deal, most of the data protection rules affecting SMEs will remain the same.
The good news is that UK businesses that comply with GDPR and have no contacts or customers in the EEA (the EEA is the EU plus Iceland, Norway and Liechtenstein) don’t need to do much more to prepare for data protection after Brexit.
What if you receive data from Europe?
However, UK businesses that receive personal data from contacts within the EEA must take additional steps to ensure they are fully compliant after Brexit, which may require designating a representative in the EEA.
Brexit aside, there remain questions as to how compliant with GDPR small businesses are across the UK, despite it being a year since the legislation was introduced.
To gauge the attitude of businesses, Shred-it commissioned a survey of 1,439 UK-based SMEs which found that 72pc of respondents said they were very aware of GDPR.
Is small business GDPR confidence justified?
While this is positive news, the biggest concern is whether that confidence in GDPR-readiness is justified. Less than half (45pc) of the firms who said they were ready to deal with data protection requirements also said they had reviewed their data protection policies recently. Just over a third had emailed their customers to confirm consent to data use, less than a quarter had published a privacy notice, and just over two in 10 had reviewed, deleted or destroyed personal data.
These results indicate an imperative that SMEs need to take a more proactive approach to data protection.
See also: 9 steps to GDPR compliance for your first business website
5 things you need to do to be GDPR compliant
- Stay up to date with privacy laws: First things first. Businesses must stay up to date with privacy laws and understand what action – if any – they need to take to comply – particularly post-Brexit. The ICO provides clear guidance on its website.
- GDPR affects paper records as well: What’s also important to remember is that data protection refers to both digital information, as well as paper records.For digital data, companies can take simple measures to ensure they are compliant with GDPR, including setting secure usernames, passwords and PINs for all devices, installing anti-virus software and a firewall on hard drives, avoiding sharing files on public Wi-Fi or posting confidential files on social media platforms, and avoiding opening files or links from an unknown sender.
- Do not keep personal information on desks: As with digital data, companies should also have strict internal procedures in place to deal with the protection of paper records. Inadequate long-term storage of paper documents, such as archives with unrestricted access, are a key point of vulnerability. Important documents containing personal information left on printers, desks and in waste-paper baskets overnight are also a compliance risk.Best practice should include the provision of locked confidential information consoles that are easily accessible, and company-wide policies that encourage a clean desk at night.
- Destroy documents after mandated storage: Businesses should also be arranging for the secure destruction of documents after use or after prescribed periods of mandated storage, keeping only digital copies of essential files in an encrypted format.
- Ensure staff understand data protection policy: But, more important than all, businesses must have a strict policy on data protection that is communicated clearly to all employees and updated whenever necessary, in order to avoid a potential breach.
Ian Osborne is vice-president UK and Ireland, Shred-it
What does GDPR mean to me and my business?