It’s not too late to make sure you are complying with new data rules.
If your small business missed last week’s deadline to comply with the European Union’s General Data Protection Regulation (GDPR), don’t panic. First, you won’t be alone: in February, the Federation of Small Businesses (FSB) said one in three small and medium-sized enterprises (SMEs) had not even begun preparing for the regulation. Second, despite the mass hysteria that seemed to engulf some organisations last week, it’s unlikely that the information commissioner is about to break down your door and demand that you pay a fine of 4% of your turnover (which is the theoretical penalty for a GDPR failure that could apply).
Of course, this isn’t to suggest that you can simply forget about GDPR – if you’re not confident your business complies, make it a priority to act. But the regulation is proportionate and focused on failures and breaches; it’s not a dragnet intended to identify and punish every organisation that didn’t hit the 25 May deadline. If you’re not sure about your GDPR priorities, your first port of call should be the website of the Information Commissioner’s Office (ICO.org.uk), which features all the practical advice that most organisations will need. Very few SMEs should have to pay specialist consultants for GDPR implementation.
What to prioritise
The key is to focus on the most important GDPR requirements before getting bogged down in the detail. Have you documented what personal data your business holds (electronically or on paper), where it came from and who you share it with? Do you seek consent to hold this data – and are you recording that consent? Are you sharing the right privacy notices with people whose data you hold? Do you have procedures in place that enable people to exercise their rights – such as asking you to delete their data? And do you have processes in place to detect, report and investigate any system beaches?
Get the basics right, and you’ll be most of the way towards full GDPR compliance. Many of the other requirements you may have read about probably won’t apply to your business. For example, you probably don’t need to appoint a data protection officer, unless you handle very large amounts of personal data, or specialist information, such as data relating to criminal offences. Similarly, organisations with fewer than 250 employees do not have to keep the same extensive records of their data-processing activities as their larger counterparts.
Don’t forget, moreover, that GDPR simply revises existing data-protection laws. This is not the first time that regulation has focused on data – if your business complies with the Data Protection Act of 1988, it should already be in pretty good shape. Despite all the hype – and last week’s onslaught of privacy notice emails – GDPR is not such a big deal for most SMEs. Although the implementation date has passed, it’s not too late to get everything sorted.