23 February 2018
As GDPR becomes an increasing focus for every business, we are pleased to bring you a summary from Jacksons Law about the new regulation and how our businesses should prepare.
Since the final approval was given by the EU Parliament in April 2016, speculation and a great deal of suspicion has arisen as to the impact of GDPR on small businesses within the UK.
With only three months to go until GDPR replaces the UK’s Data Protection Act, we take a look at the real impact on SMEs and provide some guidance as to what they can do to comply.
- Shake up
The upcoming GDPR is set to be ‘the biggest shake-up of personal data privacy rules since the birth of the Internet’ according to Vera Jourova, European Justice, Consumers and Gender Equality Commissioner.
GDPR will apply to all Member States and the UK has committed to implementing the Regulation regardless of Brexit.
GDPR should be in the mind of each and every business.
- Evolution not revolution
The UK Information Commissioner’s Office (ICO) has been at pains to make it clear that GDPR is not ‘a total revolution’ but rather in the words of Elizabeth Denham, the Information Commissioner, ‘…an evolution of the current law and a step change that brings greater accountability, transparency and consumer control…’
Given the UK has had the Data Protection Act for the last 20 years, ICO expects businesses to build on the foundations they already have in place.
- Boardroom Issue
The Information Commissioner has tried to reinforce the message to organisations that data protection is ‘…not an IT issue, it is a boardroom issue.’ Hence, businesses should be leading from the top and senior management should be buying in from the get-go.
Unsurprisingly, there is wariness as to what GDPR really means for businesses. With guidance and clarification still to be provided in many areas, it is understandable that there is a reluctance to buy in. But come 25 May 2018, businesses will have no option but to comply and be able to demonstrate compliance.
So what can SMEs do?
GDPR isn’t going away so SMEs will need to have an action plan to tackle the changes. Individuals will have greater rights and it won’t just be a case of thinking about data if and when a breach occurs.
- Have a key person or team within the business to take responsibility for GDPR compliance. Whilst other parts of the business will support the key person/team, it is important to have a central directing figure.
- Identify what data is held by the business and why. This is a real opportunity to spring clean the data held. Think quality rather than quantity.
- Clarify what the business’ justification is for holding the data. Most SMEs will be relying on: consent from the individual, a contractual necessity or legitimate interests. Is this still the case or has the business held the data for so long that the original justification no longer applies?
- Know where the data stored and who has access to it.
- Identify what procedures, policies and privacy notices the business has in place. Can these be used as a basis and be updated?
- Maintain detailed documentation in order to show paper trails relating to data processing activity and privacy impact assessments carried out.
- Think about the individuals that use or are connected to your business, are you clear about their rights and what they can expect from your business? Do you know how your business would deal with the following:
- a subject access request;
- a request to be forgotten;
- a request to receive the data held with the intention to transmit this elsewhere?
The key themes under GDPR are accountability and transparency, if a business can demonstrate that its data processing and policies incorporate and mirror these cornerstones then your business won’t go far wrong!
For more information please contact:
Charlotte Alexander on CAlexander@jacksons-law.com / 01642 356504
Louise White on LWhite@jacksons-law.com / 01642 35607
Paul Clark on PClark@jacksons-law.com / 0191 2322574