What every small business must know about GDPR – the new data privacy law

A new data privacy law will be introduced in May next year and here I take look at the key things every small business in the UK needs to know. The new law is called the EU General Data Protection Regulation (GDPR) and is a complete overhaul of the legal requirements which much be met by anyone involved in handling personal data of EU citizens.

The stated aim of the regulation is to give citizen’s greater control over what can be done with their personal data by businesses. This will be enforced by large fines – up to 20 million euros or 4% of a company’s global turnover – for non-compliance.

The regulation must be observed by any organisations with more than 250 employees, which on the face of it may give the impression that many UK small businesses will be exempt. However, it isn’t quite that simple. A business must still comply if it’s involved in regular “processing” of certain categories of personal data, which legally is taken to include collecting and storing as well as actually using data.

These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data and sexual orientation.

But…what about Brexit?

The UK will still be a full member state of the EU when the GDPR comes into effect in May 2018. Even when it eventually completes separation, all the indications so far are that Brexit won’t make much difference to the obligations of UK industry.

The UK’s minister responsible for GDPR has said the government will implement all of the principles of the GDPR into UK law through mirrored legislation (external link), and in March this year, the UK Information Commissioner published draft guidance on how changes around the issue of consent (external link) could be implemented.

However, as with most aspects of the UK’s relationship with the rest of the continent, things may not be that simple! Research published by The Register (external link) has suggested that there may be incompatibilities caused by the UK’s 1988 Data Protection Act – legislation introduced to ensure the UK was compliant with the EU’s 1995 Data Protection Directive – the law which the GDPR replaces.

Full compliance will be important because the powers of the directive extend beyond the borders of Europe and apply to any business which handles EU citizen data, whether or not the business is based in the EU.

What will the effects be for UK businesses?

In brief, the new legislation will mean that companies which need to be GDPR compliant will have three new responsibilities:

1. The first is to appoint a designated Data Protection Officer. This person will need to be adequately skilled (or trained) and have an “expert” level understanding of the organisation’s responsibilities regarding the GDPR.
2. Businesses will have to comply with strict new laws around reporting theft or loss of personal data under their control. Any such loss must be reported to the national data protection authority (in the UK, the ICO (external link)) within a maximum of 72 hours, and preferably within 24.
3. Changes have been made around the notion of “consent” – the clause which allows a number of uses of personal data – such as processing identifying information – as long as the person who the data belongs to has agreed to it.

Consent must now be explicitly given for this information to be used – by users opting into allowing it, rather than simply neglecting to opt-out. This will be applied retroactively – meaning data previously gathered without meeting the new standards of “consent” can no longer legally be used. Privacy policies will have to be updated as there is a requirement that companies make individuals aware of their new rights under the GDPR.

What should UK businesses do to prepare for GDPR?

The truth is that a lot of the obligations placed on businesses by the GDPR are “common sense” and should already be common practice among companies with solid data privacy and protection processes in place.

In reality, we know this is not always the case – companies large and small often make mistakes or missteps when it comes to personal data – and penalties for doing so will now be far higher.

The first step for many companies will be to appoint someone to the position of Data Protection Officer. It’s worth remembering that this doesn’t have to be a full-time employee and depending on the size of the company or the amount of data handled, some may choose to outsource this.

Businesses now have an obligation to make individuals aware of their rights under the GDPR as part of the data collection process, and this is likely to mean many privacy policies or T&Cs will need to be updated.

Clear plans should also be put into place for what should happen in the event of a breach. This will mean having a thorough understanding of what data within your organisation counts as “personal”, where it’s kept, who has access to it, and how to spot breaches when they occur, as well as who it must be reported to.

Another important step will be reviewing the consents that were given when data was collected. If it was collected under “opt-out” or other mechanisms which are invalidated by GDPR, an organisation is automatically open to prosecution if they continue to use this data for any purpose where consent is legislated as necessary.

Most importantly – start thinking about all of this sooner rather than later! Whether it is due to confusion over Brexit or not, my experience is that many UK companies are being slow to digest the implications, and implement the changes, of GDPR. May 2018 is fast-approaching and regardless of how closely the UK’s own legislation eventually mirrors GDPR, UK businesses will be operating under EU law for at least a year after that.

A comprehensive legislative infrastructure is vital to the healthy growth and evolution of the digital economy. Though it may seem counter-intuitive that imposing rules will make businesses better at wringing value out of data, in this case, it may be true.

Once individuals have the confidence that they can hand over data without worrying about their privacy being compromised, the true potential of AI, Big Data and analytics comes closer to being unlocked, and even more amazing uses are likely to emerge.