What is the General Data Protection Regulation (GDPR)?

  • The GDPR is a new piece of European legislation that applies across Europe (including the UK whilst we remain a part of it) from 25 May 2018. It is about as popular as the rules on the shape of bananas. It replaces the current European legislation (the Data Protection Directive) and its UK equivalent (the Data Protection Act 1998).
  • The purpose of the GDPR is to impose certain conditions on those organisations who handle your data to ensure you know what is happening to your information (where it is going, what it is being used for, who else might see it). It also aims to ensure that your data is kept secure and is not used in a way that is excessive or unfair. Almost all information about you will be protected as long as you can be identified in some way by it. This includes information with your name or email address on but also less obvious identifiers such as your IP address. It helps protect consumers but poses a real cost to businesses who need to review and adapt their compliance.
  • All businesses which use third-party contractors to handle their customer data (known in data protection lingo as ‘data processors’) will be impacted. Examples of these parties are those companies operating businesses’ opt-out and marketing lists, which store their databases, which analyse their consumer data and track online behaviour or their website use, their payment processors and their delivery organisations. This is not an exhaustive list. Those data processors are now directly liable to individuals if they mishandle their data; the processors are subject to certain rules (for example, on notifying data breaches and record keeping) and this affects their contracts with their business customers so most businesses may be receiving (if not negotiating) a host of new third-party supplier contracts. Businesses also need to give their consumers much more information than ever before about the identity of all the third parties who handle their data.
  • The most impacted sector is the retail sector because of the large amount of consumer data they process. Retail businesses will have to consider the legal basis on which they use their customer data and are likely to need to ‘refresh’ all their existing customers’ consents by effective (and legal) marketing campaigns. The new rules require customers to be much more explicit than before about what they are consenting to. A tick box indicating that you have read and understood the terms and conditions and privacy policy is about as useful as a chocolate teapot.
  • All businesses will need to review the way their IT systems use individuals’ data and check it is legal.
  • All businesses will need to adopt a much more rigorous approach to data protection than before. Small businesses will feel the effect of these changes because to date, many are simply unaware of their obligations and the level of fines for non-compliance. Most will not have a ‘data protection officer’ or at most, it is a role that is lumped on an unfortunate staff member along with health and safety and first aid. This will need to change and all businesses must have someone within the business who is actually up to speed with what the new rules mean.
  • The job of checking compliance is, of course, exponentially bigger in large companies, but they have the resources to match this. Small businesses will struggle with the time and cost it takes to do this. All companies will benefit from an audit of their existing compliance programmes.
  • There are (unconfirmed) rumours within the data protection industry that regulators will target their enforcement powers on SMEs at first (although this seems surprising). So waiting and seeing what your competitors do is a risky business.

What does it mean for SMEs?

All businesses offering goods/services to consumers in the EU will be impacted. This is because:

The legislation changes the rules on handling employee data (and almost all businesses have employees). Each business will need to review the legal bases on which they handle their employees’ data.

What do SMEs need to do and when?

It makes sense to implement some of the changes required under the GDPR now because of the extent to which the new rules affect business practices. Auditing of existing compliance will not take long, but the time it takes to redress the non-compliance may be lengthy.

  • You should consider an audit now. Keystone can assist you with this.
  • You should plan your customer consent refresh campaign and update your website and privacy notices as this takes time, particularly when most website developers are likely to need long lead times because of demand.
  • Identify your third-party-data handlers and get all the information you need from them to ensure GDPR compliance. You may well not be in a position to negotiate contract changes and if so, you will need to choose another provider or assess the risks to your business if you continue with non-compliant suppliers. Don’t trust that because your supplier is a ‘big business’ this solves your compliance issues; they may be struggling with GDPR compliance, particularly if they are overseas.
  • Update staff guidance and train them on the new rules.
  • Your HR teams will need to review their employment practices and also be trained on the updated rules on giving individuals access to their information. Any individual may make a request to an organisation he/she believes is holding their personal data for all information they hold about him/her. This is known as a ‘subject access request’. Although there are certain exceptions on what needs to be provided under the current rules, these exceptions do not apply under the GDPR and the UK Government is hamstrung by how many of these current exceptions they can carry over into the new rules. Be very careful what you write down about individuals (electronically or otherwise) as they will be likely to be able to see it.
  • Your IT team will need to review if you could improve security and minimise data input where not needed as well as checking you understand where all your data is stored and that this is compliant with the new rules.
  • You need to have a data breach plan.
  • Some particular types of business (particularly any business offering online behaviour advertising services or website analytics) will need to consider if they need to employ a new Data Protection Officer who is a quasi-legal and highly technical member of staff with a very specific and in-demand skill set. This can be outsourced.
  • Your board need to be aware of these changes and compliance should become a standing item on your board agenda.

What if we ignore the rules?

  • You may not realise the level of fines for non-compliance. Fines are punitive. Non-compliant businesses can be fined up to 2–4% of global turnover or 10m/20m euros if greater. Per breach. That is enough to make most business owners sit up and take notice.