GDPR Overview - How will it impact UK SMEs?

On 15 December 2015, the European Parliament, the Council and the Commission reached an agreement which proposed that the Data Protection Directive of 1995 be replaced by the General Data Protection Regulation (GDPR). It was then adopted by the Council of the European Union on 8 April 2016 and subsequently adopted by European Parliament on 14 April 2016. It also supersedes national laws such as the UK DPA.

Who does it apply to?bigstock-Data-Security-on-Red-Keyboard-56771897-1.jpg

All companies that process personal data of individuals that reside within the EU, regardless of the company's location. The GDPR is crystal clear in its applicability even if the data processing takes place outside of the EU.

It broadly expects SMEs to comply in full with the GDPR and manage their data processes to the same extent as large and enterprise businesses.

Personal Data Definition

The GDPR defines Personal Data as the following:

''personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.' [1]

This is a much broader definition than the previous regulations, which significantly widens the net for data that some organisations are currently holding that aren't subject to any of the current regulations.

Mandatory appointment of Data Protection Officer (DPO)

All businesses will need a Data Protection Officer (DPO) if the following criteria is met: 

  • [where] the core activities… consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • [where] the core activities… consist of processing on a large scale of special categories of data (sensitive personal data) and data relating to criminal convictions and offences

According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years. This is due to the focus being on what arganisations do with personal data rather than the number of employees an organisation has, so if your small business deals with the processing of thousands of peoples personal data, then this could be a costly addition to your staff.

Clear & Concise Consent

Valid consent must be obtained in order to use Personal Data.

'If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.' [1]

Also, data subjects will now have the right to be forgotten. Meaning organisations will have to ensure they have the processes and technologies in place to delete data in response to requests to do so.

Notification of Data Breaches

The new regulation requires notification of the Supervisory Authority with regards to any personal data breaches within 72 hours of becoming aware of it. 

So businesses will need to ensure that the processes and technologies they have in place enable them to detect and respond to a data breach quickly.

Penalties

The new Regulation mandates considerably tougher penalties than the DPA: breached organisations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.

The Inquirer have estimated that the latest Tesco Bank hack could have seen Tesco face a £1.9bn fine under the new regulation.

Fines of this scale, especially with SMEs could very easily lead to business insolvency and, in some cases, closure.

When does it come into effect?

The GDPR will apply from 25th May 2018, less than 18 months away so you really should be getting your head around this new regulation so that you can avoid any potentially business crippling fines.

You can read more about the GDPR on the Information Commissioner's Office website here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

Mirus IT are here to offer advice!

If you would like to talk to us here at Mirus about what you can do to start preparing your businsess for when the GDPR comes into effect in 2018, then feel free to get in touch.

[1] European Council, Council of the European Union - http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf