There is an unfortunate myth rattling around concerning GDPR and the small business. The myth suggests that they are exempt, the reality suggests there is a good chance they are not, and that means the future of your business may depend on understanding GDPR.
The key difference between a company that employs more than 250 employees and a company that doesn’t, is that the larger company has to employ a compliance officer. The smaller company only has to worry about GDPR under certain conditions. It is just that those conditions apply to many companies.
The ICO, the UK regulator charged with the task of overseeing data protection and now GDPR puts it this way: “If you hold and process personal information about your clients, employees or suppliers, you are legally obliged to protect that information..”
But let’s pull back for a moment: GDPR stands for General Data Protection Regulation, is coming into force on May 25th 2018 and carries potentially very heavy fines – 20 million euros or four per cent of a company’s turnover.
But for smaller companies, the implications are more significant than that. If a client is fined for some kind of GDPR related wrong doing, and they can show it is your fault, then they may come after you for compensation. So, your potential liability is four per cent of your largest client’s turnover.
So, if you process an individuals data, either a customer’s or an employee, or indeed any stakeholder, or on behalf of a client, you need to pay especially close attention to GDPR.
This means that you need written documentation showing that you have fully considered and put processes in place regarding GDPR related issues.
Note GDPR is an EU wide regulation although the UK government says that it will be applying GDPR post Brexit.
Here are some tips:
First of all you need to be able to show you have a comprehensive understanding of what data you hold and where it is – a data audit may be worth considering.
Secondly, consider the issue of consent. If you are relying on consent to comply with GDPR, check all consent is appropriate – any consent must be freely given, transparent and unambiguous. You must have procedures in place for allowing consent to be withdrawn.
Thirdly, check security, ensure data is protected, and ensure procedures are in place and appropriate if there is a data breach.
Fourthly, is the issue of access requests, under GDPR, individuals have the right to view data held about them and correct where necessary.
Fifthly, make sure staff are appropriately trained and familiar with GDPR considerations and company policy.
Sixthly, remember just as your clients will expect you to comply with GDPR, make sure the companies that make-up your supply chain are GDPR compliant – ensure you can demonstrate you have taken appropriate measures to audit your supply chain.
Seventhly, ensure you apply appropriate privacy notices and communicate what you are doing with data.
Finally, investigate the need to take on a compliance officer.
To find out more about GDPR check out the next GDPR Summit London