With the General Data Protection Regulation (GDPR) due to come into force in a year’s time (May 2018), every organisation will need to take steps to comply. There are exclusions to small businesses to some of the articles, but the majority will still be in force.
From 25 May 2018, any breach of the GDPR will result in fines for small businesses of up to €20 million. This is not just for a security breach but for a failure to implement the right level of technology to protect the data, or provide the relevant documentation. The following are areas small businesses should look at to ensure they meet the requirements:
Right to be forgotten
A big area for investment (of time and possibly money) is understanding what data you have and where it is. The GDPR gives a EU resident the right to see, have amended or delete all personal data held. This includes backups and archives, and the whole process from request to completion has to be audited/proved, and completed within 30 days. Failure to do so is classed as a major breach and will incur the fine of up to €20 million.
You need to be able to protect from an ‘insider threat’ (your employees), which is where the vast majority of data breaches occur. Again, this incurs a major breach fine for failing to protect the data. This includes policies to protect against accidental breaches, such as having clearly communicated policies and ensuring data is where it should be, and malicious breaches, such as an employee leaving the company and corporate or national espionage. Steps are also required to prevent attacks such as phishing or contamination through ‘bring your own device’.
Have you any contracts with partners or other third parties where they process or control any personal data? Liability with GDPR is now jointly with the Data Processor and Data Controller, but contracts will need to be updated.
There is a general misconception that companies with fewer that 250 employees are exempt for the regulations. This is not true.
The only time the articles allow concessions for organisations with fewer than 250 employees is in Article 30 – Records of processing activities. Most organisations will have to maintain a record of processing activities that contains the name and contact details of the controller, the reason for the processing, a description of the type of personal data or category being processed, how long the data will be kept before it will be deleted, and some other requirements.
Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories. Therefore, a company that processes data on a regular basis or processes special category content such as racial, political or genetic (and others listed in Article 9) material, even if quite small, will not be excluded from this requirement.
Data Protection Officer
Some advisers are implying that all firms must employ a Data Protection Officer (DPO). This is incorrect. The designation of a DPO is not mandated according to company size, but rather the type of data processing. If a company is a public authority then a DPO is mandatory.
Most other organisations will need to designate a DPO, in particular if the core activities consist of processing operations which require regular and systemic monitoring of data subjects on a large scale, or processing special category data.
What is considered large scale is down to interpretation and legal advice should be sought. As a general rule, if the only personal data being processed is the payroll/HR data then a DPO would not be required. If, however, you are regularly processing personal data from sales CRM, mailshots and other activities then a judgement will need to be made.
The impact of Brexit
The GDPR went live in April 2016 so is in force now. We are still part of the EU, and the penalties for non-compliance will be enforced from 25 May 2018, which means we will still be in for a further year past the enforcement date.
Even when we are out of the EU, the Information Commissioner’s Office (ICO), which is the Data Protection Authority in the UK, has announced that it will be taking the EU GDPR into UK legislation, so the UK will have its own version of GDPR. To comply with that will be at least as stringent as the EU version.
Andrew Salmon is CEO and IT director of data management company TrueSwift Ltd www.trueswift.co.uk