Skip to content

New Data Protection (GDPR) Rules – Is your Business Ready for the Change?

Following the introduction of the new General Data Protection Regulation (GDPR) rules in May 2018, UK businesses will be at risk of being fined up to €20 million or 4% of global turnover for infringing the rules.  Smaller businesses here in the UK seem to be largely unaware of the coming changes and are therefore most at risk of being hit with the new, heavier fines.  In a survey carried out for YouGov, only 22% of small businesses admitted that they were aware of the changes compared with 43% of medium sized businesses and 5% of large companies. 

Despite the fact that the new laws will be enforced from Brussels, the impending Brexit does not exempt UK businesses from the changes so compliance is essential.  In 2016 there was a record number of fines in the UK for data breaches with fines totalling £3.2 million and these are predicted to rise when the new rules are implemented in 2018. 

The new rules require businesses to be more transparent about how they collect and store customer data and any breaches will need to be reported to the Information Commissioner’s Office within three days.  The GDPR will replace the EU’s current Data Protection Act (DPA) as a framework with greater scope and tougher punishments for those who fail to comply with the rules. 

One of the biggest changes that SMEs face concerns the issue of consent.  The new regulations require companies to keep a thorough record of how and when an individual gives consent to store and use their personal data and consent means “active agreement”.  This means that consent can no longer be inferred from a pre-ticked box, companies will need to show a clear audit trail of consent, which includes screen shots or saved consent forms. 

Individuals will also have the right to withdraw consent quickly and easily at any time and their details must then be permanently erased, rather than just deleting them from a mailing list.  This means that companies will need to know at all times exactly what personal data they hold and where it is located (whether this is on PCs, on servers or in the Cloud) and have procedures in place to ensure the complete removal of data when a request to do so is received.  Companies will also need an incident recovery plan to deal with any repercussions.

Preparing for the changes will require companies to carry out a total information audit and this needs to be planned for now, well in advance of next year’s deadline.  Personal data is a vital key tool for small businesses aiming to target and retain customers and this information needs to be handled with the utmost care and consideration. 

GDPR will ensure privacy by design and default which means that from the initial stages onwards, businesses will need to consider the impact that processing personal data may have on an individual’s privacy.  This means that every new business process or product that may involve personal data or impact on the privacy of an individual must be designed in accordance with the new data protection requirements.