Small and medium-sized businesses are not exempt from the new General Data Protection Regulation (GDPR), which will come into effect on 25th May 2018. Here, we highlight just some of the measures that your business will need to put in place to avoid any penalties.
If your business is already complying with the current Data Protection Act (DPA) then it’s likely that your approach to compliance under the new GDPR will remain valid and can be built upon. However, there are few things that you may not be aware of or may have to rejig completely in the period leading up to the enforcement date . They include…
Data protection officers
The GDPR requires that organisations appoint a Data Protection Officer if they are a public body, or engage in the systematic monitoring of large volumes of data on individual subjects, or engage in the collection and processing of special categories of personal data. However, SMEs must understand that all companies are obliged to devote sufficient resource to GDPR compliance, even if their circumstances do not require a dedicated Data Protection Officer.
It is important to note that the Data Protection Officer role must be independent of all other company functions – the obvious option of appointing the manager closest to personal data (for example, the HR director) is not available.
Businesses are no longer required to notify the Information Commissioner’s Office (ICO) of their data processing activities, but are instead required to maintain records of their processing activities. There is, however, an exemption for controllers and processors of data with fewer than 250 employees on the condition that the processing does not pose a risk to the rights and freedoms of data subjects, is occasional and does not relate to sensitive personal data.
Data subject access requests
Under the GDPR, individuals will have more information on how their data is processed. In most cases, organisations won’t be able to charge for complying with a request, but where requests to access data are manifestly unfounded or excessive, SMEs may be able to charge for or refuse them. Instead of the current 40-day compliancy timeframe, businesses will usually have only a month to comply with requests.
While it was initially proposed that SMEs could get a written warning for their first non-compliance and unintentional offence, this was thrown out of the final draft. As a result, SMEs will be subject to a fine of up to €10m or two per cent of worldwide turnover, whichever is greater, for violations of record-keeping, security and privacy impact assessment obligations.
For more serious failures, companies can be fined up to €20m or four per cent of worldwide turnover. Breaches of GDPR must be notified to the Information Commissioner’s Office within 72 hours of the incident, although the admission can be delayed if the breach places individuals at risk. Where individuals are at risk, the company must inform them “without undue delay”.
Are you GDPR ready?
These are just some of the key implications of GDPR. Find out more by reading the IoD factsheet:
General Data Protection Regulation (GDPR): what every business should know
IoD members may also request template policies and guidance published by Practical Law (Thomson Reuters):
GDPR template policies and guidance for IoD members
GDPR will also be a focus of the IoD Open House 2018, 12-14 March 2018