Written by Simon Morgan, South East London and North Kent
The General Data Protection Regulation (GDPR) comes into force next May, with fines for non-compliance reaching as high as €20m or 4% of global turnover, whichever is higher. Yet despite the fact that just about every business in the UK – and yes, that includes your business – will fall under its remit, a recent YouGov survey found that less than a third (29%) of UK firms have started to prepare for it.
Who will be affected by the GDPR?
If you are a business trading in the UK, you will almost certainly be required to comply with the new regulations. Only people who are processing personal data in the course of their own exclusively personal or household activity are exempt – any one outside of that definition, including sole traders working from home, are highly likely to come under the scope of the GDPR.
My company is small – how likely am I to be a victim of a data breach?
Don’t be fooled into thinking that your firm is less likely to be targeted by cyber hackers than a large corporation. Research by the Federation of Small Businesses shows that SMEs are in fact more likely to be targeted than bigger firms.
How does the GDPR differ from existing data protection regulations?
Many of the principles of the GDPR are much the same as those under current law, so a lot of what you do under the Data Protection Act (DPA) will remain valid. But there are some key differences:
- Scope – the DPA only covers the UK, while the GDPR covers any organisation that holds or processes personal data of EU citizens, regardless of whether the company is based in the EU or not. As such, this will affect UK companies, regardless of Brexit.
- Opt-in – under the DPA, a negative opt-in was all that was required (ie tick here if you don’t want to receive communications). Under GDPR, you must secure positive opt-ins.
- Subject access requests – under the DPA, organisations can charge a reasonable fee for data requests, can take up to 40 days to respond, and the right of a data subject to have their data erased is a matter of common law. Under GDPR, personal data requests will be free, they must be met within one calendar month, and data subjects have the explicit right to have their data rectified or erased.
- Breach reporting – currently, it is only mandatory to report a data breach if the breach is also covered by the Privacy and Electronic Communications Regulations 2011. Under GDPR, all breaches much be notified within 72 hours if the breach is likely to result in a risk to an individual’s rights and freedoms.
- Enforcement – the maximum fine of a serious breach under the DPA is £500,000. Under GDPR, there’s an upper limit of €20m or 4% of global turnover.
Where do I start?
Don’t panic! It’s not too late to get ready, as long as you start now.
The Information Commissioner’s Office (ICO) has prepared an excellent 12-step guide to preparing for the new regulation.
Your HR department will be crucial to preparing your business to comply with the new GDPR in regard to data held on employees, contractors, volunteers and job applicants, so if you don’t already have one, or you need extra help, get in touch with The HR Dept South East London and Kent – we can provide support to make sure that you’re GDPR compliant well-ahead of the May deadline.