In this week’s blog, we discuss how the upcoming General Data Protection Regulation (GDPR) updates represent a new challenge for both small and large businesses, in terms of how they operate and how they both use and store customer data.
With compliance mandatory, and significant fines for those not adhering to the new rules, taking it seriously has become a priority for companies who are looking to ensure that they are fully prepared in advance. Small businesses may perhaps experience the biggest impact and need to alter their arrangements to ensure compatibility.
What are the main things to be aware of?
The biggest part of GDPR that needs to be considered is the introduction of new guidelines on personal data retention. Under a ‘right to be forgotten’ rule, it will be possible for an individual to request that all personal information a business holds on them be deleted, providing there is no ‘compelling reason’ for their data to be retained.
The key differences are that from May 2018 consent must be given for use of customer data in several ways, whereas currently giving consent once could cover a multitude of uses.
A firm consisting of more than 250 must employ a Data Protection Officer, responsible for this and other aspects of data collection. Any incidents of data breach must be reported within 72 hours.
What costs will there be?
The cost of the employment of the Data Protection Officer, if needed, will, of course, have to be borne by the business but bigger costs could be encountered by the increased potential for larger fines.
GDPR has the capacity to fine a non-compliant business up to €20 million, or 4 percent of the annual turnover, depending on which is higher, something which could be catastrophic for a small business.
As time is money for small businesses, costs could quickly be incurred by new requirements to provide enhanced detail about what data is being handled. Likewise, the use of third-party organisations to handle certain aspects of data handling could be problematic to small businesses, with the need to ensure that contracts are in place to ensure their GDPR compliance.
With locating and removing data central to GDPR, having a system that allows any small business to do this easily and quickly is vital, and will need to be implemented if not already in place. Technology can help with this, and investigating options to find the best for the activity of a business may be time-consuming in the short-term, but could prove invaluable in the future. This technical expertise, even if just in the form of advice or consultation comes at a price, and small businesses without specialised IT departments may feel the financial squeeze.
The best way in which a small business can deal with GDPR is to think carefully about the strategy it employs, and make relevant adjustments as soon as possible. Things such as auditing the data that is held, how privacy information is communicated to people, how consent is obtained from people, and what strategies are in place for a data breach can all be done relatively cheaply and easily.
A small business that deals in retail can look towards encryption or anonymising personal data when taking payments, all of which reduce the risk of a data breach, and personal information being lost as a result.