Spring 2018 GDPR GDPR is coming - Are you ready? New rules on protecting personal data come into force in May and no business is exempt. So its time to make sure your organisation complies or it could be facing a big fine If you run a business, you deal with personal data and the way you must handle this data is about to change, with the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018. Fines of up to four per cent of global turnover or 20m, whichever is the larger, can be levied on non-compliant organisations not just for a security breach, but also for failing to implement the right level of technology to protect data or to supply relevant documentation. These new rules will apply to organisations of every size and in every sector, so the Federation of Small Businesses (FSB) is urging all smaller businesses to be prepared. There are exclusions for small businesses in some of the GDPR articles, but the majority will apply. Look at the following areas to ensure you will meet the new requirements: Right to be forgotten A big area for investment of your time and possibly money is in understanding what data you already have and where it is. The GDPR gives an EU resident the right to see, and have amended or deleted, all personal data that an organisation holds on them, including on backup systems and in archives. The whole process, from request to completion, has to be audited/proved and completed within 30 days. Failure to do so is classed as a major breach and will incur a fine of up to 20m. The GDPR gives an EU resident the right to see, and have amended or deleted, all personal data that an organisation holds on them Data breaches You need to be able to protect the data you hold from insider threats (your employees), which is how the vast majority of breaches occur. This includes mitigating against accidental breaches by having, for example, clearly communicated policies and ensuring that data is where it should be. You also need to protect data from malicious breaches such as may occur when an employee leaves the company as well as corporate or national espionage. In addition, steps are required to prevent phishing attacks or contamination through bring your own devices. Failure to do any of these things could result in a major fine. Legal contracts Do you have contracts with partners or third parties where they process or control personal data? With GDPR, liability is held jointly by the data processor and the data controller, so contracts will need to be updated. Data protection officer Not all firms need to employ a data protection officer (DPO). Under the GDPR, the designation of a DPO is mandated by the type of data processing, rather than the size of the organisation. If a company is a public authority, however, a DPO is mandatory. Most other organisations will need to designate a DPO in particular, if their core activities require regular and systemic monitoring of data subjects on a large scale, or processing of special-category data. What constitutes large scale is down to interpretation, and legal advice should be sought. As a general rule, if the only personal data being processed is in connection with payroll/HR, then a DPO would not be required. A judgement will need to be made, however, if your organisation regularly processes personal data from sales customer relationship management (CRM), mailshots and other activities. Many small businesses remain blissfully unaware of the GDPR rules, which will come into force just weeks from now but it is crucial that they are fully prepared for its introduction. Businesses of any size that process data even on paper will need to keep more stringent records of how they handle that data. And because the regulation comes into force before the UK formally leaves the EU, it will become domestic law in the UK. It is crucial that business owners ensure they are compliant with the GDPR, and put in place measures that mean they wont fall foul of the rules and become subject to a hefty fine. The FSB has produced a video to help business owners understand their responsibilities under the GDPR. More information can also be found on the Information Commissioners Office website. GDPR exemptions myth There is a misconception that companies with fewer than 250 employees are exempt from the regulation this is not true. The only concession for businesses of this size is in Article 30 Records of processing activities. Most organisations will have to maintain a record that contains: nthe name and contact details of the controller nthe reason for the processing na description of the type of personal data or category being processed nhow long the data will be kept before it will be deleted nsome other requirements Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 people unless the processing nis likely to result in a risk to the rights and freedoms of data subjects nis not occasional nincludes special categories Credit: Karen Woolley, development manager, Federation of Small Businesses Image: istock / Cmake_photo So a company that processes data on a regular basis or that processes special-category content, such as racial, political or genetic material (plus others listed in Article 9) will not be excluded from this requirement, even if it does it on quite a small scale. For further information please contact your local Trading Standards Service