General Data Protection Regulation – A basic summary for small businesses
23rd May 2018
The new General Data Protection Regulation (GDPR) will come about on the 25th May 2018 – and with it a whole new series of regulations governing the storage and management of personal data.
The GDPR will replace the 1998 Data Protection Act due to advances brought via the internet, such as cloud technologies. Applying to all countries in the EU (as well as post-Brexit UK), all businesses will be legally obligated to comply with the act – the Information Commissioner’s Office (ICO) clarifying that a simple lack of knowledge will not excuse you from complying with the law.
So what does the GDPR do?
There are 2 key principles to the regulation:
- Giving citizens and residents more control of their personal data.
- Simplifying regulations for international businesses by applying an EU-wide regulation.
Does it apply to me and my business?
The GDPR will apply to any business (even outside of the EU) that processes data of EU citizens, regardless of the number of employees. It emphasises the accountability of businesses that collect, use and store the personal data of a client by requiring them to provide evidence of their compliance with the new GDPR. This will apply regardless of whether you are manually collecting and using data, or you use an automated system/software package.
Although a small business with fewer than 250 employees is not generally required to employ a data protection officer, there are cases where it might be necessary. For example, if you deal with “sensitive data” or contract with a larger company that conducts large-scale processing. This Data Protection Officer is there to ensure that the company complies with all GDPR obligations, as well as to be the main point of call for any data protection queries.
What are my obligations?
Although the GDPR enforces a long list of obligations, the main concern is consent.
The following checklist provides you with the key principles at a glance:
- Check your consent practices.
- Offer individuals genuine choice and control.
- Use a positive opt-in (don’t rely on pre-ticked boxes or default options).
- Explicit consent means a very clear, specific statement of consent.
- Keep your consent requests separate from other terms and conditions. Be specific, granular, clear and concise.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent (and tell them how to do so).
- Keep evidence of the consent (who, when, how and what you’ve told people).
- Avoid making consent a precondition of your business services.
- Consent should put individuals in control, build trust and engagement and enhance your reputation.
(list courtesy of simplybusiness.co.uk, What is GDPR for small business)
It is very strongly recommended that if you have not already done so, and you are a business owner, that you read through the entirety of the GDPR. You can do so at:
Failing to meet the regulations could cause you to incur serious penalties, including prosecution, fines of up to £500,000 and obligatory undertakings – which are only set to get heavier once the GDPR has become active in May. And that is not even including the possibility of being sued by individuals who suffer as a result of your data management.
For help with any of your accounting needs, please contact Stack & Jones Accountants on 01869 277973 for a free 1-hour consultation.
Sources: simplybusiness, Information Commissioner’s Office, Rudge&Co.
Image Source: Pixabay