GDPR (General Data Protection Regulations) come into effect on 25 May 2018 and will apply to the UK wherever we are with regard to Brexit.
The legislation affects organisations of all sizes that process and hold the personal data of people who live within the European Union. Even if your business is located outside the EU, if you process data about people within the EU, you have to comply. And even though the UK’s future relationship with the EU is uncertain at best, if you are currently based in the UK, and process data about individuals in the UK and other EU countries, you have to comply.
It all sounds pretty scary. And indeed there are plenty of articles around that warn of humungous fines and close attention from the regulators. Even consulting the Information Commissioner’s Office website ico.org.uk can feel overwhelming.
The good news is that the requirements will not apply to an enterprise or an organisation employing fewer than 250 people unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data such as criminal records.
So if you’re a small B2B business that succeeds in never having its data hacked or stolen, you’ll be fine. You don’t need to do anything other than know what data you hold, know where it is, know that you have permission to hold and use that data, and – most importantly – keep it safe.
But if your business model depends upon the regular processing of significant amounts of personal data, you will need to pay more attention and put more effort in, and you should probably get specialist advice. It all comes down to the size of the risk to the privacy of EU citizens.
As the owner of a small business myself, what I’m doing to prepare is:
- Making a list of the data I hold on individuals – such as HR files, payroll and marketing spreadsheets
- Making sure it’s up to date and deleting anything or anyone I don’t need for my business
- Restricting access to the data by using folder permissions or password-controlled access only to those people who absolutely need to use it
- Seriously considering encrypting the data
Reviewing my network security
- Speaking to any organisations that hold data on my behalf, such as payroll services, to ensure they are taking the right steps
- Holding off buying or importing any mailing lists until all this has settled down and I can be certain that for all the contacts on the list there is an auditable record of consent
- Making sure I have the ICO (Information Commissioner’s Office) number to hand just in case we suffer a breach of our system. It must be reported within 72 hours.
My view today is that if I do all of that and, most importantly, never have to report a breach, I will not be getting a visit from the regulatory police.
Bio: Barrie Giles is Managing Director of First Line IT and helps small businesses make the most of technology