GDPR for small businesses Hannah Deakin

Hannah Deakin - January 2018

So what is GDPR?

I have no doubt that we have all been receiving emails, seeing LinkedIn posts, overhearing discussions but what does it actually mean? General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU), it will come into effect across the EU on May 25 2018. This is aimed at guiding and regulating the way companies across the world will handle their customer's personal information, to give people more control over how their personal data is used. It also gives companies holding data more responsibility to ensure this data is secure. Ultimately it gives people much more say in what personal information organisations collect from them, and what organisations may do with this data.

Does this mean we still have to comply seeing as we are currently in the process of leaving the EU?

In short, yes. The UK government has decided to include GDPR as part of UK law for the foreseeable future, even after we leave the EU it is likely the UK will keep this legislation so it is important that we start acting and making changes now. If you don't comply with the new GDPR, you can be fined up to 4% of your turnover or 20M Euros (whichever is higher). To make it clear GDPR applies to all businesses that hold some form of personal data so this is not just something for large businesses- us small businesses need to take note too. If anything the effects of being fined for not complying may hit smaller business even harder and in some cases may be significantly harder to recover from it.

So what does this mean for small businesses and what should I be doing now?

Small businesses are expected to comply in the same way as large businesses. I think it is important to ensure that you have considered the following points; although GDPR doesn't kick in until May 25th 2018 there are actions you can be taking now in order to prepare for this.

1. Understand the Regulation

Make sure your organisation and key decision makers within the business understand the regulation and are aware of the impact it can have on the organisation fails to comply.

2. Look at the information you hold

You may have to complete an information audit on what personal data you hold, where it came from and who do you currently share it with. This will also identify what changes you need to make to improve practices and achiever GDPR compliance.

3. Consent

Review how you seek, record and manage current consent and whether any changes need to be made. You will need to ensure all contact meets the GDPR standards. From May if you haven't received their consent then you will not be able to send out information to these people. This may be critical to businesses that rely heavily on batch marketing to a large number of contacts. Begin starting to gain consent now, before these individuals become inundated with emails from a number of companies all doing the same.

4. Consider a Data Protection Officer

Designate someone within the company to take responsibility for the data protection. You should consider whether this is formally required, there have been rumours that some SMEs are exempt from having to have a data protection officer however this isn't always the case. Even if it is not a formal requirement it may be a good idea to nominate someone within the company to be responsible for looking further into GDPR to make sure you are on top of it.

This is by no means an exhausted list but definitely a few important steps to be starting with as we crack on with 2018.

Most importantly- start thinking now!! Begin putting together an action plan sooner rather than later. May 2018 is just around the corner and the effects could be detrimental to your business if you choose to ignore this.


GDRP data