Guide to the GDPR for SMEs

What is the General Data Protection Regulation (GDPR)?

• The GDPR is a new piece of European legislation that applies across Europe (including the UK whilst we remain a part of Europe) from 25 May 2018. It is about as popular as the rules on the shape of bananas.
• It replaces the current European legislation (the Data Protection Directive) and its UK equivalent (the Data Protection Act 1998). Even after we exit Europe, these rules will certainly apply for a transitional period and any replacement national legislation is expected to be very similar.
• The purpose of the GDPR is to impose certain conditions on those organisations which handle your data to ensure you know what is happening to your information (where it is going, what it is being used for and who else might see it). It also aims to ensure that your data is kept secure and is not used in a way that is excessive or unfair. Almost all information about you will be protected as long as you can be identified in some way by it. This includes information with your name or email address on but also less obvious identifiers such as your IP address. It helps protect consumers but poses a real cost to businesses which need to review and adapt their compliance.
• All businesses which use third-party contractors to handle their customer data (known in data protection lingo as ‘data processors’) will be impacted. Examples of these contractors are those companies which operate opt-out and marketing lists, store their databases, analyse their consumer data, track online behaviour or website use, process payments and arrange deliveries. This is not an exhaustive list. Those data processors are now directly liable to individuals if they mishandle their data; and are subject to certain rules (for example, on notifying data breaches and record keeping). Consequently, this affects their contracts with their business customers so most SMEs will be receiving (if not negotiating) a host of new third-party supplier contracts.
• Businesses also need to give their consumers much more information than ever before about the identity of all the third parties who handle their data.
• The most impacted sector is the retail sector because of the large amount of consumer data they process. Retail businesses will have to consider the legal basis on which they use their customer data and are likely to need to ‘refresh’ all their existing customers’ consents by effective (and legal) marketing campaigns. The new rules require customers to be much more explicit than before about what they are consenting to. The ‘traditional’ tick box indicating that you have read and understood the terms and conditions and privacy policy is about as useful now as a chocolate teapot.
• All businesses will need to review the way their IT systems use individuals’ data and check it is legal.
• All businesses will need to adopt a much more rigorous approach to data protection than before. Small businesses will feel the effect of these changes because to date, many are simply unaware of their obligations and the level of fines for non-compliance. Most will not have a ‘data protection officer’ or at most, it is a role that is lumped on an unfortunate staff member along with health and safety and first aid. This will need to change and all businesses must have someone within the business who is actually up to speed with what the new rules mean.
• The job of checking compliance is, of course, exponentially bigger in large companies, but they have the resources to match this. Small businesses will struggle with the time and cost it takes to do this. All companies will benefit from an audit of their existing compliance programmes.
• There are (unconfirmed) rumours within the data protection industry that regulators will target their enforcement powers on SMEs at first (although this seems surprising). So waiting and seeing what your competitors do is a risky business.

What does it mean for SMEs?

All businesses processing data in the EU will need to comply with the rules and all businesses offering goods/services to consumers in the EU will be impacted.

What do SMEs need to do and when?

It makes sense to implement some of the changes required under the GDPR now because of the extent to which the new rules affect business practices. Auditing of existing compliance will not take long, but the time it takes to redress the non-compliance may be lengthy.

• All businesses should consider an audit now. Keystone can assist with this.
• Businesses should plan their customer consent refresh campaigns and update their website and privacy notices as this takes time, particularly when most website developers are likely to need long lead times because of demand.
• Businesses should identify their third-party-data handlers and get all the information needed from them to ensure GDPR compliance. SMEs may well not be in a position to negotiate contract changes and if so, they will need to choose another provider or assess the risks to their business if they continue with non-compliant suppliers. Don’t trust that because a supplier is a ‘big business’ this solves compliance issues; the biggest suppliers are also struggling with GDPR compliance, particularly if they are overseas.
• Businesses should update staff guidance and train them on the new rules.
• HR teams will need to take legal advice on the rules on handling employee data. HR teams will also need to be trained on the updated rules on giving individuals access to their information. Any individual may make a request to an organisation he/she believes is holding their personal data for all information they hold about him/her. This is known as a ‘subject access request’. Although there are certain exceptions on what needs to be provided under the current rules, these exceptions do not apply under the GDPR and the UK Government is hamstrung by how many of these current exceptions they can carry over into the new rules. Care should be taken on what is written down about individuals (electronically or otherwise) as they will be likely to be able to see it.
• IT teams will need to review if security could be improved and data minimised where not needed. IT teams must be clear on where all their business’s data is stored and that this is compliant with the new rules.
• All businesses need to have a data breach plan.
• Some particular types of business (particularly any business offering online behaviour advertising services or website analytics) will need to consider if they need to employ a new Data Protection Officer who is a quasi-legal and highly technical member of staff with a very specific and in-demand skill set. This can be outsourced.
• All boards need to be aware of these changes and compliance should become a standing item on the board agenda.

What if SMEs ignore the rules?

• SMEs may not realise the level of fines for non-compliance. Fines are punitive. Non-compliant businesses can be fined up to 2–4% of global turnover or 10m/20m euros if greater. Per breach. That is enough to make most business owners sit up and take notice.