GDPR for small businesses: What it means for you
We look at how the new data protection laws will impact SMBs
The new regulations have already bared their teeth over data breaches involving British Airways and the Marriott hotel chain, resulting in collective fines of almost 300 million. However, although only large corporations have so far faced regulatory action, it's as important for small businesses to take note of these fines, particularly as these can be percentage-based.
Unfortunately, data protection is going to become an even greater headache for smaller businesses if the UK leaves the EU without a deal on 31 October. While GDPR will be enshrined into UK law as part of the European Withdrawal act, the limited ways in which UK businesses are legally able to receive data from the EU will hit small businesses the hardest.
Do I need to abide by GDPR?
Yes, you do. There's a lot of misinformation floating around the internet on this topic, especially when it comes to the UK's relationship with the EU.
Fundamentally, GDPR will still apply to the UK after it leaves the European Union. Not only have the principles of GDPR already been applied to UK law in the form of the Data Protection Act 2018, the EU's data laws will also be enshrined into the UK law as part of the European Withdrawal Act.
That means that the UK's Information Commissioner's Office will use the DPA 2018 and GDPR side by side when dealing with instances of data misuse in the UK.
How GDPR applies to small businesses
Generally speaking, most articles of GDPR apply to both large and small businesses. In that sense, small businesses need to follow the same rules and advice set out in our comprehensive GDPR guide.
Some differences do exist, however. In Article 30 of GDPR, small businesses with fewer than 250 employees are exempt from having to keep records of their processing activities, whether that's in the capacity of a controller or processor. This exemption is removed if the processing is likely to create risk to the rights and freedoms of data subjects, or if processing happens on a regular basis.
It's also generally understood that small businesses have fewer resources than larger organisations, and therefore the Information Commissioner's Office will take into account any difficulties a smaller firm might encounter when trying to comply with the new laws.
Aside from these minor stipulations, small businesses should consider themselves equal to larger firms in the eyes of GDPR. This includes keeping internal records, if you do not meet the exemption criteria.
What's more, given the nature of joint liability established with GDPR, small businesses that find themselves dealing with larger corporations will need to comply with those same legal requirements.
Do I need a data protection officer?
Yes, you might. The factors behind whether or not you need such an officer are based on what data you collect, and how much you collect, rather than the size of your business. If your central purpose requires "regular and systematic monitoring of data subjects on a large scale" then you must appoint a data protection officer.
You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data on a large scale.
The EU does state that "a group" may employ one data protection officer between them, as long as the officer is readily available to each organisation.
The data protection officer is there to "inform and advise" on data collection practices and monitor compliance, as well as acting as the point of contact with the data protection authority, which in the UK is the Information Commissioner's Office.
What fines must I pay for getting it wrong?
Organisations face fines of up to 2% of their annual turnover or 10 million, whichever is higher, for infringing the GDPR code of practice, which includes failing to meet compliance requirements and inadequately assessing risk as part of a data protection impact assessment.
For actual breaches of people's personal data, that rises to 4% of turnover or 20 million, whichever is higher.
The "whichever is higher" is the key phrase for SMBs, who could be financially ruined by a data breach, meaning the risks are just as big - if not bigger - than for a multinational enterprise that could absorb the penalty in its next financial quarter without too much of an impact on its stock price.
However, these fines must also be "proportionate" (a key fact vendors offering data protection services often forget to mention). If you can prove (with extensive record-keeping and your data protection impact assessment) your policies and governance framework are designed to adhere to GDPR, but you still suffer a breach, the ICO would be unlikely to levy a harsh fine against you.
If, however, you cannot prove you've made any effort to comply with GDPR, and look ignorant of the law, the ICO will be more likely to issue a higher fine.
Should I be 100% GDPR compliant by now?
Although GDPR is over a year old, most companies are yet to be fully compliant with GDPR. In fact, it's arguably impossible to be 100% compliant as some of the regulation's provisions are incompatible with some of the existing legal requirements UK businesses face, such as tax law.
The good news is that the ICO is sensitive to this issue, and provided you are demonstrating a will to abide by the new regulations, you're unlikely to receive a visit from an enforcement officer.
However, there are some clear steps to take to align your internal processes and practices with the data protection rules. A great place to start is to take a look at the ICO's 12-step guide to preparing for GDPR.
Some highlights here for SMBs are:
Conduct a data protection impact assessment (DPIA) - one of the key responsibilities under GDPR, all businesses are required to assess the level of risk that their data processing could pose to the rights and freedoms of data subjects. If you are able to show you have thought ahead and carefully considered how your processing may affect customers, this will go a long way to demonstrating your commitment to the new laws.
Document what personal data you hold - understand what personal data you hold, where it came from, who you share it with what it was collected for, and whether it's still relevant and necessary for the purposes you collected it.
Ensure you can honour citizens' data requests - under GDPR, EU citizens can request that you delete, amend, or move their data to a different organisation. Your processes and technology must make it possible to honour these requests (read 'demands') within one month.
Establish a lawful basis for processing data - under GDPR, opt-out boxes aren't good enough anymore. Instead, you must establish a lawful basis for processing a citizen's data. If it's consent, this must be opt-in, and a citizen will only give their permission for their data to be processed for a limited period of time, for a narrowly defined purpose. Consent may also be withdrawn, so it's wise to consider what other lawful basis you can use to process data.
Prepare for data breaches - ensure your processes enable you to notify the data protection authority of a data breach within 72 hours of becoming aware of it.
Appoint a data protection officer - as discussed above, a DPO is an essential part of GDPR for businesses performing large-scale data processing. Appoint one sooner rather than later if this role is one your company must designate under the legislation.
No-deal Brexit effect on small businesses
The UK businesses face a degree of uncertainty over how they will legally receive data from the EU post-Brexit, which could prove particularly problematic for small businesses.
The issue relates to the lack of an adequacy agreement, which is required in order for EU businesses to send data to the UK. While UK firms will have no problem sending data to the EU, they will need to fall back on legal alternatives, such as standard contractual clauses and binding corporate rules in order to receive data.
Unfortunately, standard contractual clauses and binding corporate rules are both expensive and time-consuming mechanisms that require heavy legal consultation, something that smaller businesses could struggle with. What's more, SCCs could be ruled invalid as a legal mechanism before the end of the year, subject to a ruling by the European Court of Justice - the background and implications of which you can find here.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now