New research suggests that more than two-thirds of small businesses have not yet begun to ready themselves for the General Data Protection Regulation (GDPR), and only 8% have completed preparations.
As a small business owner, 25 May 2018 should be marked on your calendar – and then circled again. It’s the day EU-wide changes to the rules on the processing and storage of personal data are fully coming into force. Regardless of the sector, GDPR requirements will affect you if your business handles personal data of any kind.
Here are answers to the 5 top frequently asked questions about GDPR that every small business should know:
What’s the point of GDPR?
The European General Data Protection Regulation aims to give citizens more control over their personal data and simplify regulations across the European Union. As a small business owner, regardless of the size of your business, you must comply with this regulation or face hefty fines.
GDPR is not a burden – by bringing your data protection policies into shape, improving efficiency of the processes and procedures you have in place, you will add value to your business, gain trust and ultimately bring in more business. Think of GDPR compliance as an opportunity for growth.
What is GDPR compliance?
You’re GDPR compliant if you:
- Know everything about the data you own. You need to be aware of where it’s coming from, where it’s going and how it’s being used, and if it’s personal data it needs to rely on consent.
- Have asked your clients/staff for their consent to store personal data with terms and conditions that are explicit, transparent and easy to understand, so they know how their data is being used and stored.
- You have made it clear to them that they can withdraw consent at any time.
- If you have a security protocol in place for the event of a data breach. You will be required to notify authorities within 72 hours, so update your policies and procedures accordingly.
- You have a protocol in place for when someone asks to access the personal data you are storing about them and how you have used it. Each request has a deadline of one month, so you need to know how to go about collecting the requested data to meet the time-frame.
- You have appointed a Data Protection Officer. This is necessary for small businesses whose activities include “regular and systematic monitoring of data subjects on a large scale.”
- Conduct due diligence on your suppliers to make sure they’re GDPR compliant.
- You’ve trained your employees on all of the above.
What happens if you breach GDPR?
GDPR fines and penalties will depend on the infringement but include:
- Warnings and reprimands
- Temporary or permanent ban on data processing
- Order to rectify, restrict or erase data
- Suspend data transfer to third countries
- Administrative fines imposed on a case-by-case basis of up to €20 million, or 4% annual global turnover
The Information Commissioner’s Office (ICO) will consider the nature, gravity and duration of the breach before imposing a fine.
What happens to GDPR after Brexit?
Although GDPR is an EU requirement, the UK’s decision to leave the EU will not affect GDPR compliance. The UK law to be introduced after Brexit will mirror the GDPR directly, according to the government.
Where can I get GDPR help?
The Information Commissioner’s Office (ICO) has a number of resources available on their website, including checklists, training videos, webinars and podcasts to get you started.
Berley chartered accountants for small businesses
GDPR affects all of us, including Berley Chartered Accountants. We specialise in working with small businesses in London, offering a blend of professional accounting services and sound business advice, tailored to your unique business opportunity. Our focus is on growing your business. Rest assured, your data is safe if you work with us as your small business accountants.