“We’re all going to have to change how we think about data protection”, the Information Commissioner noted at a lecture for the Institute of Chartered Accounts last week (full text here). Those that are familiar with the new General Data Protection Regulation (GDPR) will know that she is absolutely right about this. Brexit is not going to “intervene” in that respect - the GDPR will have come into force before the UK leaves the EU. In any event, for those that want to do business in the EU (for example, by offering goods or services to individuals in the EU), they will need to comply.
The Information Commissioner’s speech is most striking because of her comments about small businesses and accountability. That will include many of the entrepreneurs for which we act. 99% of the UK’s 5.5 million businesses employ fewer than 249 people. The Information Commissioner’s Office (ICO) says that if individuals are going to see their rights respected these small businesses are going to need to be ready to comply with the GDPR when it comes into force in May 2018. Her speech, and particularly her reference to the fines levied in the past year, seems to have been a marker in the sand. “You have been warned!”, the Information Commissioner is clearly saying.
Small businesses often process huge quantities of personal data. They also often use direct marketing, with all the additional considerations that brings. The Information Commissioner stressed the importance of accountability, highlighting that “it’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
There is plainly now a move towards compliance by design. In other words the GDPR expects businesses to change their approach, and implement systems, policies and frameworks that ensure compliance. Small businesses often have less to invest. They commonly do not have teams dedicated to compliance. They, therefore, can be less well prepared for legislative and regulatory changes such as this. These factors, as well as the potential repercussions if they are caught short, mean that it is even more important for small businesses to begin preparations for the GDPRs introduction early. With an implementation date only 16 months away, that means that small businesses need to be considering right now how they are going to do this.
Last year, more than £1 million of fines were levied on businesses that didn’t get it right, and that’s before the changes to enforcement that will be introduced as a result of the GDPR. For the most serious breaches, the ICO will have the power to fine companies up to EURO 20 million or 4% of total annual turnover. So failing to comply has the potential to seriously impact a business’s bottom line. But perhaps more importantly, issues of privacy and data security are increasingly important to consumers and customers. It is not only a regulatory or compliance issue, but a customer service and reputation issue. It is what customers increasingly expect from a “good” business. The Information Commissioner was keen to stress that those businesses that embrace this change may be the ones to thrive in the new environment.
We recognise that pouring over 200+ pages of data protection legislation isn’t everyone’s cup of tea. So, to give small business owners a helping hand in their preparations for the new regime, we will shortly be producing a blog which will summarise some of the key provisions of the GDPR that will impact upon small businesses which store and process large amounts of data. Our focus will be on businesses in the technology sector which provide cloud-based applications via the internet; however the provisions considered are likely to be relevant to all entrepreneurs who are in the process of preparing for the GDPR’s introduction.