The General Data Protection Regulation (GDPR) came into force in May 2018. Brought in by the European Union, it aims to better protect the personal information and data of all citizens of the EU. This means that if your business processes, holds or uses personal data that you need to be in full compliance with the GDPR.
But there has been some confusion – even now with the rules in effect – as to what businesses need to be doing. This has been especially challenging for smaller businesses who may not have the resources to work with legal specialists to understand the obligations and responsibilities for compliance.
Here we take a look at how GDPR affects small businesses and some of the issues surrounding compliance that you might not realise.
Does the GDPR even apply to you?
Some businesses aren’t sure whether the GDPR is even relevant to them. In some cases, they believe that as they only have a few members of staff, or indeed they are a sole trader, they do not need to comply with the rules. However, this is not the case. It is not the size of the business that makes a difference but whether or not your business handles data.
If you store any personal data, whether of your clients, your staff or your suppliers, you need to comply. If you fail to comply and then suffer a data breach you could be heavily fined. It is good practice to ensure that your business is fully compliant.
Take cyber security seriously
Cyber security is a key aspect of becoming GDPR compliant. The GDPR has been brought in to make sure that businesses are doing as much as possible to protect the private data of individuals, and having strong digital defences is a vital part of this. Suffering a data breach can be catastrophic with lost data becoming a huge inconvenience to the individuals involved.
Remember that if your security is weak and not compliant with the GDPR you can face fines of up to €20 million or 4 per cent of your global turnover (whichever is higher). So this is an important thing to get right.
Invest in your infrastructure
Another aspect of your business that may need to change is your internal systems. Having the right infrastructure in place is key for compliance with the GDPR. An example of why it is so important is the fact that if you suffer a data breach, you need to be able to inform any affected within 72 hours. This means that you need to be able to quickly recall data, as well as having a computer system where you are able to understand exactly which files have been breached.
“For smaller businesses it can be worrying to face these sorts of costs in infrastructure changes, but they are an important part of compliance. Working with specialists experienced in aspects of compliance such as business accountants and digital security experts can help to ensure that your business is future proof.” Oliver Spevack FCA ACCA, OS Accounting
Train your staff properly
One of the most important aspects of the GDPR is the safety of personal data. However, one of the weak links may be your own staff. You can set up powerful defences and put the correct infrastructure in place, but if your staff can be tricked into divulging details or allowing criminals to get access to your system, then this will all be for nothing.
You need to provide your staff with comprehensive training on the GDPR and the requirements for dealing with data. You staff are an important part of your defences, so provide them with the training to be effective.
Is Brexit going to change my GDPR commitments?
It is commonly thought that businesses may not need to become compliant because of Brexit. The thought behind this is that as the UK will be leaving the EU, the country will not be bound by the rules, including the GDPR. However, this is not something that you should believe. Firstly because the UK is likely to continue with many of the same regulations as the EU after Brexit, and there is no reason to suggest that the UK would rescind the GDPR. Secondly, however, even if the UK was to get rid of these regulations, any UK business that holds the data of EU citizens would still be required to be GDPR compliant.