At Tatton Commercial Finance, we understand the importance of keeping our clients and contacts up-to-date with the latest news and legislation, and GDPR is a big change on the horizon. It is with this in mind that we have linked up with Eleanor Woodall, Corporate and Commercial Solicitor at FDR Law, to provide a guest blog and expert viewpoint on the key elements of GDPR.
Why SMEs should prepare for the GDPR now
The EU’s General Data Protection Regulation (GDPR) will come into force in May 2018, regardless of Brexit. The GDPR must be observed by all organisations with noncompliance potentially resulting in fines of up to 4% of annual worldwide turnover of the preceding financial year or €20million, whichever is greater.
What is the GDPR and how will it affect my business?
The GDPR has been designed to give EU residents control of their personal information. Put simply, individuals should be able to easily identify how and where their information is being used.
All organisations (regardless of size or current location) who are the controller or processor of data belonging to an EU citizen must comply with the GDPR. However, some SMEs may find that due to the type and volume of data they process, they will have restricted their risk to within the lower tier of fines. The lower tier sets a maximum fine of €10million or 2% of the annual worldwide turnover of the preceding financial year, whichever is greater, meaning this is still a substantial risk for SMEs.
Do we need a Data Protection Officer?
If you are a public authority, or you carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking) or large scale processing of special categories of data or data relating to criminal convictions/offences, you must appoint a Data Protection Officer (DPO).
However, all organisations must ensure that they have adequate staff and skills to ensure that they are able to comply with their duties under the GDPR. In order to ensure compliance, many SMEs may wish to voluntarily appoint a DPO.
What will a DPO do?
In a nutshell, the DPO should inform the organisation and employees about their obligations in relation to the GDPR and other data protection laws. Also, amongst other things, the DPO should monitor compliance and be the first point of contact for the authorities and also for the individuals whose data is processed (clients, employees etc).
So, who can be a DPO?
The GDPR doesn’t detail any specific credentials/qualifications which a DPO should have. It could be a current employee (provided the duties of the employee are compatible and there are no conflict of interests) or the role could be taken by an external individual. However, they must have sufficient professional experience and knowledge of data protection law and this should be proportionate to the type of processing your organisation carries out.
Next steps for SMEs
Whilst the GDPR won’t come into force until next year, it would be wise for all organisations to begin looking to assess any changes which will need to be made ahead of May 2018.
Some points to consider:
- Review the information your organisation holds – where did the information come from and who are you sharing it with? Who has access to this information both internally and externally? Ensure records are kept of your processing of the data.
- Review your current privacy notices now to allow sufficient time to make any required amendments under the GDPR before May 2018. The GDPR requires certain additional information to be included on the notices, including, for example, the data subjects right to complain to the Information Commissioners Office (ICO). For further information, refer to the ICO’s Code of Practice which sets out the new requirements.
- In the event of a personal data breach, the GDPR requires organisations to notify the authorities no later than 72 hours after any breach of personal data. Consider how your organisation will ensure they report any breach within the 72-hour deadline. This could include, for example, putting in place a security breach response plan and keeping a register for any security incidents or breaches.
- Review your current cyber security measures and ensure your firewalls, encryption etc. are robust.
If you have any further queries on GDPR or feel you may need the support of a DPO, get in touch with Eleanor on 01925 230 000 or learn more information on their website here.
