Despite the EU implementing strict rules around data protection last year, some SMEs haven’t made changes to be compliant, putting themselves at huge risk. GDPR one year on and some small businesses are still exposed. Overlooking it could have costly repercussions by way of hefty fines and reputational damage.
On May 25 2018, the EU introduced its biggest transformation of data protection legislation with the introduction of the General Data Protection Regulation (GDPR).
Although most businesses were making sure they were compliant in the months leading up to its enforcement, many businesses (including SMEs) weren’t GDPR-ready.
See also: What does GDPR mean to me and my business?
Small businesses may consider compliance with the Data Protection Act 2018 (“DPA”, which incorporates the GDPR in the UK) to be another administrative burden and, due to their business’s size, by keeping fingers crossed and ignoring it, it might disappear. This isn’t the case; all businesses that process personal data are subject to the DPA.
Organisations found in breach of the DPA face administrative fines of up to 4pc of their annual global turnover or €20 million (whichever is greater).
GDPR one year on
Since the GDPR came into force, fines have been distributed across the EU, with smaller organisations also falling subject to scrutiny.
Small businesses get fined too
For example, in March this year, the Polish Personal Data Protection Office levied a €200,000 (£180,000) fine to a small digital marketing company (Bisnode). The company failed to action the GDPR requirement to inform data subjects of data processing activities. At the other end of the scale, Google was fined €50 million (£44 million) in January by the French Data Protection Authority (CNIL) for violating its obligations around transparency and appropriate user consent on its website.
See also: GDPR one year on – what fines have been issued so far?
The new laws were designed to keep all businesses better protected and face security breaches effectively. An SME should be doing the following to ensure they’re processing data securely in line with GDPR one year on.
6 steps to ensure you’re GDPR compliant
Update policies and procedures
The individuals’ data your business uses must be informed through a privacy notice of the personal data types you hold relating to them; how their personal data is to be used; and for what purpose(s).
An internal-facing data protection policy (a privacy standard) should be implemented. It should set out principles and legal conditions you must satisfy when obtaining, handling, processing, transporting or storing personal data and provide for customers, client, suppliers and employee data. An updated policy will demonstrate how your organisation processes personal data and make employees aware of their obligations.
Businesses are required to review contracts with third parties where the processing of personal data is involved and ensure they’re updated with each parties’ obligations, whether as a data controller or data processor.
Educate your organisation
All employees need to be aware of their data regulation obligations. Keeping them trained on your new policies, notices and procedures will ensure they’re followed consistently and promptly. In some organisations, a data protection officer must be appointed for formulating and implementing strategies on data processing and keeping the organisation educated. However, SMEs may not have capacity to make this appointment, due to lack of resources. If so, it’s worth outsourcing a legal data protection expert to ensure everyone knows their responsibilities.
The DPA sets a high standard for consent. It must be explicit, freely given and unambiguous. Review your organisation’s consent mechanisms. In particular, make sure approval requires an affirmative “opt-in” action. This bans pre-ticked boxes as a legitimate form of giving consent, since no positive indication can be provided. It’s advisable to keep consent separate from other T&Cs and it shouldn’t be a precondition of signing up to a service. You must notify individuals about their right to withdraw consent, offering them easy ways to do so at any time.
If your existing consent mechanisms comply with the DPA, you don’t need fresh consent.
The right to be forgotten
A new rule under the DPA is the right to have personal data erased (“the right to be forgotten”). Although the right only applies in certain circumstances, your organisation must have the capability and procedures to comply with such requests. You’ll have one month to respond substantively.
Subject access requests
Every individual has right of access to their data and you’ll need suitable procedures to deal with subject access requests. In the employment setting, access requests are made in ongoing disputes or tribunal claims. Requests are increasingly made by individual customers who are dissatisfied with customer service. An individual may genuinely wish to see what personal data is being processed and if it’s accurate. Others make requests because of the time, effort and expense they can cause, and to achieve a settlement. Regardless of motivations, be helpful, respond substantively within a month (as opposed to 30 days under the old legislation) and provide the data in a machine-readable format. Under the DPA you aren’t allowed to charge a fee, save in limited circumstances.
Responding to data breaches
It’s essential employees are fully trained, equipped to understand and recognise what constitutes a data breach. Your data manager or data protection officer will need specialist training around responding to a data breach.
Employee error is highly likely to cause security threats in SMEs and you will need to adopt internal procedures and require the same from third-party processors to deal with data breaches. Include how to identify a data breach, how it will be investigated and how to perform an assessment of the implications. Remember certain breaches must be notified to the information commissioner within 72 hours of when it was discovered, and the affected data subjects must be informed where there is a substantial risk of harm.
Small businesses should take actions to ensure their data is securely managed and those that comply with the GDPR one year on will not only avoid potential fines and reputational damage, but will find their data handling, compliance processes and contractual relationships are robust, reliable and will keep their business secure for years to come.
Chris Cook is a partner and head of employment and data protection at SA Law
GDPR and Brexit – 5 steps your small business can take