You may have heard the term ‘General Data Protection Regulations’ or ‘GDPR’ around recently. You may even be vaguely aware that it comes into effect on the 25th of May 2018. But what exactly is the GDPR and what does it mean for your small/medium sized business?
In this post I want to break down the formal legislative speak and get to the heart of what really matters – the impact that GDPR will have on your business operation. These FAQs will help you get to grips with what’s coming down the line.
So, first things first: What is the GDPR?
GDPR will strengthen and consolidate data protection rights within the EU. The same laws regarding the collection, storage and usage of personal information will now apply in all member states.
The GDPR legislation compels companies across the EU to enforce stringent data protection processes.
What are the benefits of these General Data Protection Regulations?
There are two key objectives underpinning the GDPR.
- GDPR gives residents back control of their personal information.
- GDPR simplifies the regulatory environment for international business in the EU.
The benefit to consumers is that they will have greater control over their personal information and data. Privacy and personal data protection is something we can all understand the benefit of from our own individual perspective.
From a business point of view there has been some criticisms over the strictness of the new GDPR. However, it will yield some benefits for exporting Irish SMEs. Instead of having 28 different data protection laws in the EU, there will now be 1 comprehensive rule applied across the board. Even post-Brexit UK is expected to comply with the GDPR. This should help Irish exporters to cut costs and red tape within the EU. Indeed it may help smaller exporters to break into new markets.
Does GDPR apply to my SME?
The simple answer is Yes. The new regulations apply to ALL organisations including SMEs in Ireland. It doesn’t matter how small your business is, you need to comply with GDPR. There will be nowhere to hide for businesses who are wilfully negligent with consumers’ private data. What’s more, violations will be subject to fines! Eeeek!
The good news, however, is that SMEs are granted some exemptions. Quite rightly, the Global Data Protection Regulations recognises that smaller businesses need different treatment than larger corporations and public organisations (under Article 30).
If your business has fewer than 250 employees and/or does not process large quantities of personal sensitive information you will be eligible for these exemptions.
What are the GDPR exemptions for SMEs?
- Your SME won’t have to appoint a dedicated Data Protection Officer.
- You don’t need to keep formal records of how you process data
- You won’t be required to report “minor” data breaches if they do not pose a risk to the rights and freedoms of the individual concerned.
This DOES NOT mean that your SME is off the hook from the GDPR!
These exemptions recognise the operational capacity of SMEs. They are by no means a free pass however! Your business is still bound by the legislation of the General Data Protection Regulations. So, it’s important that you understand the parameters of data protection and comply with the general terms of the new regulations.
At a very basic level you need to be mindful of your businesses’ ‘data subjects’ and their rights, and to understand the key changes being brought in with the GDPR in 2018.
What are ‘data subjects’?
Data Subjects are the people whose information we collect, store and use.
We all take information from our customers – names, contact details, personal or property info, payment methods and so on. This can be done on paper, by physically filling out a form, or by digital input, which is now the norm. Most businesses will keep some kind of record of individual transactions and customer relationships.
Of course, we don’t just hold data about our customers. There are other types of ‘data subjects’. Employee records include lots of personal information that may be sensitive. We also store and use data about our website users, suppliers and partners.
This is perfectly OK and indeed necessary. The General Data Protection Regulations are simply being put in place to ensure that all businesses, big and small, are doing the right thing when it comes to data protection.
So, what are the key changes taking place under the GDPR?
A larger emphasis is being placed on accountability which means being able to evidence your organisation’s compliance.
A mandatory breach notification process will be introduced. This requires businesses to notify regulators of most personal data breaches within 72 hours. Data subjects must also be informed of high risk breaches.
As I mentioned above, your SME may be exempt from this if the data breach is “minor”.
Consent and Privacy Notices
Businesses must comply with stricter consent processes when obtaining information from their users/customers.
GDPR is a world leading data protection step towards giving consumers back their digital rights. This means consumers have to consent to the use of their data. Furthermore, they can withdraw that consent or request to see the data your business has on them.
The content you’re required to include in your privacy notice is going to change. It is important to make sure that your website privacy page and the privacy notice you include on customer forms or contracts is up to date with the new regulation.
What are the potential penalties if my business doesn’t comply with the GDPR?
Don’t be complacent and think that SMEs aren’t eligible for fines. If you don’t comply with GDPR – You Are!
The maximum sanction for non-compliance with GDPR is a fine of €20,000,000 or 4% of gross worldwide annual turnover, whichever is the greater. Scary stuff!
What should i do now?
Don’t Panic, BUT DO ACT.
Today is the day to take action and begin preparing for the GDPR! For some businesses it may simply involve small tweaks to your spreadsheet databases and consent forms. Others may need a rehaul of their data collection and storage systems.
You need to engage with your IT person or department on this to make sure you are covering all bases set down by the GDPR.
The Data Protection Commissioner in Ireland has resources and guides available at the dedicated website GDPR & You – Click here to visit.
The Information Commissioner’s Office in the UK have an excellent 12 step guide and checklist available here.
I hope you found this article useful. Sign-up to our newsletter to stay informed about all things you need to know about the digital world to help your business grow and prosper!
The content of this web page is a commentary on the GDPR. This content is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your orga