Keith Kennedy, from Pearson Solicitors and Financial Advisers, looks at how GDPR will affect local businesses.
IF you run a business and hold personal data on staff, clients and contacts, then this month sees a major change in what you need to do.
Alarmingly many businesses are still unprepared for the regulations – Brexit or no Brexit, businesses still have to comply.
Being a small business doesn’t mean you fall out of the GDPR scope and you’ll need to be compliant if you are involved in regular processing (which includes collecting, storing and using) of personal data.
It’s also important to note that if you’re contracting with a larger company that conducts large-scale processing you may also be subject to the harsher end of the GDPR’s regulation.
Recent research indicates that 22 per-cent of North West businesses don’t know anything about the new GDPR, which comes into force on May 25.
Some firms may not do anything about the regulations, despite the threat of fines of up to 4 per-cent of turnover.
The commercial reputation of your business could also be seriously affected if there was a data breach and there is always the possibility that individuals can sue you as a result of your data management, for material damage or non-material suffering, such as distress.
Insolvency will therefore be a real risk for non-compliant businesses as a result of these fines.
The new regulations will apply to all companies processing and holding the personal data of people who live in the EU – regardless of where the business is located – and includes customer, supplier, partner and employee personal data.
The first question you need to ask yourself is ‘how often does your business deal with personal data?’
This includes your customer data of course, but have you factored in supplier data? Past and present employees? It needs some careful consideration to make sure you have all bases covered.
Apart from it being a new law, responsible data handling is a basic principle of good business sense. If you’re a one-person band with messy paperwork and files have you thought about how you’d explain a breach to your trusted customers?
Keith Kennedy, Head of Corporate and Commercial at Pearson, said: “The new GDPR regulations are huge and businesses are making themselves vulnerable to huge fines if they don’t start acting now.
“If criminals manage to ‘hack’ into business systems and steal personal data, the customers of the business could also be at risk of cybercrime.
“All businesses will be subject to the GDPR. Smaller businesses might not have as much money to invest in cyber security but they will be subject to the same fines and penalties under the new regulations”.
Checklist: what can I do now to comply with the GDPR?
• Read the GDPR and ensure you understand what is required.
• Consider appointing one of your management team to oversee compliance (in some cases this will be mandatory) – ensure he or she is reporting to the board or business owners regularly.
• Audit your data. This is an onerous exercise: do not underestimate it. You will need to be able to identify “personal data” then find out what data you store.
• Review how you collect information. Is it by website cookies? By email? Through your contracts?
• Review how you manage your data storage (and where it is stored).
• Document these processes.
• Check whether you are allowed to keep the data. You might have to justify why you have it and whether you have customer permission to keep it.
• Review your privacy policies and notices. Do they need to be changed?
• Train your employees on the data protection laws and ensure they understand why data protection is so important for you and your customers.
• Review your systems’ security arrangements. Are they safe from hackers?
• Train your employees on the risks of cybercrime and how to avoid it. Give refresher courses on a regular basis.
• If a customer asks you to delete or remove their personal data from your records – do so immediately. Set up a system for doing this. Ensure someone within your business has responsibility for this task.
• Review data regularly. If you don’t need it, delete it.
• The GDPR will affect how you handle your digital marketing. Work closely with your marketing team to ensure compliance.
• Have you prepared for a cyber attack? (All cyber attacks must be reported to the Information Commissioner’s Office).
We have a team of commercial lawyers with a knowledge on the GDPR. Ruth Smith, one of our corporate team, is a specialist in this area and ran a recent seminar going through the checklist with businesses. She is currently working with many companies, guiding them through the requirements of the new regulation and how to implement them.