By Mark Chimley, founder of DPHub
After years of negotiations and endless rewrites, the General Data Protection Regulation (GDPR) is almost upon us. In fact, it’s already here but, from May 25 next year, it will officially become applicable. Every business processing personal data on EU citizens will be affected, both now and in post-Brexit Britain under the new Data Protection Bill. With six months to go, it’s not a hopeless task for SMEs which haven’t yet looked at the new law. But there’s certainly plenty to do, with potentially business-busting fines looming for those that blatantly flout the regulations.
So where do you start? To get your GDPR house in order, focus first on the data itself: what you hold, where it’s located and how it’s being used.
Time for fines
The trade press has been saturated with GDPR coverage for months now. Yet many small business owners may not have had the time nor inclination to research the new regulation, or else don’t think it applies to them. Back in October, law firm Collyer Bristow claimed 55% of UK small businesses aren’t familiar with the GDPR. Why is this concerning? Because 18% of respondents claimed their business could go under if they’re forced to pay the new fines. These will raise the maximum that data protection watchdog the Information Commissioner’s Office (ICO) can levy for non-compliance from £500,000 today to a staggering £17m or 4% of global annual turnover, whichever is higher.
What’s more, it will be almost impossible to hide the impact of a serious data protection incident: significant breaches must be reported to the ICO within 72-hours, under the new rules. It’s true that regulators won’t be looking to make an example of UK SMEs from 25th May onwards. In fact, Information Commissioner Elizabeth Denham has already said: “fines under the GDPR will be proportionate and not issued in the case of every infringement.” However, those firms which “systematically fail to comply with the law or completely disregard it”, especially if there are significant privacy risks for the public, will certainly find themselves in the crosshairs.
All about the data
The GDPR is all about making the EU’s data protection laws fit for the digital age. So, the best place to start your compliance efforts is with the data you hold or process on customers and employees. However, less than a third (31%) of SMEs are clear what “personal data” even means in this context.
In fact, the definition has been broadened significantly under the GDPR. It now covers “any information relating to an identified or identifiable natural person”. In reality, this means almost anything you hold that can be traced to a UK and/or EU citizen. Typical personal data processed by small businesses will include staff details, business contacts and customer information. More specifically, you will need to consider names, addresses, email addresses, dates of birth, telephone numbers, identity numbers and IP addresses, as well as more sensitive information on their health, beliefs, race, criminal offences, preferences and opinions. Images such as staff photos also count.
The best place to begin is by analysing your business and listing all the types of personal employee/customer data you deal with. Conduct a mini-audit to reveal the type of data; where it came from; where it’s processed and stored; and what it’s used for. If there’s any data related to special categories such as children, health, religious beliefs, or criminal offences, make a note of this as it could change how you process or handle it.
Once you’ve categorised the type of data and where it came from, consider all the places it might be stored and processed. These could include laptops, cloud systems, phones, desktop PCs, and even paper-based filing systems. Many small businesses will make use of third-party service providers to help process the data they hold. These entities are jointly responsible with your business for the protection of any customer and employee data, so it’s important to also note these down.
Finally, be sure to list the reason for storing/processing this data: personal information on staff may be needed to comply with employment regulations, while customer data is likely to be held in order to sell them goods or provide services, for example.
The road to compliance
Thus, a typical small accountancy business might list the type of data (customer contact details including names, addresses, telephone numbers and email addresses); the source (customer email and contract forms); the location (in-house customer database); and the reason (to provide accountancy services). Remember to note any data that isn’t currently being used or hasn’t been used for a while. One of the key principles of the GDPR is to minimise the personal data you hold — thereby reducing the risk of a damaging breach — so you may want to go back, check and delete that data in time.
Once you’ve classified the data, you can then go on to establish how it’s being protected and whether you need some new controls to keep it safe and secure. By breaking down compliance into bite-sized chunks like this, GDPR compliance starts to become more manageable, and that six-month deadline will seem a little less daunting.