New Data Protection Rules (GDPR), - What does it mean for your small business?

New Data Protection Rules, - What does it mean for your small business?

You will no doubt have heard some hype surrounding the new data protection rules coming into force on 25 May 2018. The new General Data Protection Regulation (GDPR) is set to overhaul how your businesses processes and handles data. Just because you may run only a modest business does not mean you can bury your head in the sand in relation to these reforms.

01-05-18.jpg#asset:893

 

The current regulations were drawn up 20 years ago in the late 1990s when the internet was much less developed than now and long before the Cambridge Analytica and Facebook type scandals were even in contemplation. You may have received a number of emails recently from websites and organisations about the changes and what is means for your data but what does your organisation need to do to keep up with the times?

 

First, do not ignore or think the regulations do not apply to you! You have less than one month to prepare. The good news is that Dickinson Parker Hill are here to help.

 

Spot the difference

 

The full text of GDPR contains an eye watering 99 articles detailing the rights of individuals and obligations placed on businesses and other organisations. Suffice to say, these goes much further than the old Data Protect Act rules.

 

Accountability

 

Under GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data will have to be reported to the Information Commissioners Office (ICO) (as well as the person who it is about) within 72 hours where it could have a detrimental impact on the person or “result in a risk for the rights and freedoms of individuals”.

 

Opt in not Opt out

 

When you are relying on consent to lawfully use a person's information you must clearly explain that consent is being given and there has to be a clear "positive opt-in" rather than an “opt-out” system. This is very different from the presumed consent model under which many businesses operate at present. Is yours one of them?

01-05-18-2.jpg#asset:892

 

Along similar lines the GDPR clamps down on the automated processing of data. If you have subscribers or mailing lists then you should take advice on what you can lawfully do with this information and whether you can continue to retain it.

 

Right to be forgotten

 

The new regulation also gives individuals the power to get their personal data erased in some circumstances e.g. where it is no longer necessary for the purpose it was collected, if consent is withdrawn or if there's no legitimate interest. In any event you should always be considering whether you still have a need for/legitimate reason to continue to hold a person’s data and, if not, delete it. That includes personnel files, order details, invoicing information and customer lists.

 

Access

 

The GDPR also gives individuals a lot more power to access the information that's held about them for free. Currently, Subject Access Requests can be subject to a charge of £10. However, all requests for personal information going forward will have to be honoured free-of-charge no matter what the administrative cost might be to your company.

01-05-18-3.jpg#asset:891

 

Time limits for the provision of such information are also very strict, When someone asks you for their data, the information must be provided within one month.

 

Better systems

In order to comply with the core foundation of “privacy by design,” GDPR requires your processes to be built with data protection in mind, rather than treated as an afterthought. You should therefore take a moment to think about every aspect of your business, how you use data and how such use protects the individual and complies (or not as the case may be) with GDPR.

Specific protection for children

Since children are generally more vulnerable and less aware of risks, GDPR includes parental consent for children up to age 16. This is very relevant as consumers of services, particularly online services, are getting younger and younger.

Fines

 

One of the biggest, and potentially crippling consequence of the GDPR for your business, is the power for regulators to fine businesses that don't comply with it. If you don’t process an individual's data in the correct way, you can be fined. If you require and don’t have a data protection officer, you can be fined. If there's a security breach, you can be fined.

01-05-18-4.jpg#asset:890

 

The GDPR states smaller offences could result in fines of up to €10 million or two per cent of a business’s turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to some analysts, fines imposed last year would be 79 times higher under the new regulation.

Preparing your business 

When implemented, GDPR will have a varying and wide ranging impacts on all sorts of businesses and organisations. To help prepare, the ICO has created a 12-step guide which you can access at the ico.org.uk website. For more detailed advice and guidance on compliance, help to prepare a data protection policy or to rethink your data handling processes to minimise your risk, or, if you facing a compliant that you have breached the GDPR please do not hesitate to contact us at [email protected]

 

 

Our People

Photo: Alexandra J Kenyon

Alexandra J Kenyon

Partner, Family and Divorce Read Bio
Photo: David H Lunn

David H Lunn

Partner, Commercial Property Read Bio
Photo: Michael Prendergast

Michael Prendergast

Partner, Private Client Read Bio
Photo: Katherine Greenwood

Katherine Greenwood

Solicitor Read Bio
Photo: Allison McCormick

Allison McCormick

Solicitor Read Bio
Photo: Samuel Seagraves

Samuel Seagraves

Solicitor Read Bio
Photo: Jennifer Wall

Jennifer Wall

Solicitor Read Bio
Photo: Leanne Reeman

Leanne Reeman

Solicitor Read Bio
Photo: Joanne Owen

Joanne Owen

Probate Executive Read Bio
Photo: Grainne McGuinness

Grainne McGuinness

Conveyancing Executive Read Bio
Photo: Rachael Leather

Rachael Leather

Conveyancing Executive Read Bio
Photo: Alic Wright

Alic Wright

Trainee Solicitor Read Bio