Now that the planned General Data Protection Regulation (GDPR) changes are just nine months away, there are likely to be a number of firms – of all sizes – still scrambling to discover what they need to do to be compliant with these changes, in order to avoid the hefty publicised fines. The best place to start is to become familiar with the detail of the GDPR and how the incoming new rules will affect your existing business, date use and storage planning. It’s also useful to know the GDPR rules that have been specifically designed for small businesses, or SMEs.
SME GDPR Regulatory Caveat
Following a lengthy consultation period, the incoming GDPR has recognised that smaller businesses aren’t able to achieve exactly the same as larger businesses. And also, that not all the rules that are relevant to bigger firms are relevant to SMEs. Indeed, in article 30 of the regulation, the GDPR states that businesses with fewer than 250 employees are exempt from much of the legislation – “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.” However, considering how much data is requested, processed, used and stored by most businesses of all sizes, small business advisory specialists Global Resources LLC, are of the opinion it would be prudent for SME’s to create new personal-data related guidelines, in line with much of the GDPR.
Back to GDPR Basics
As you will no doubt be aware, GDPR has been designed to replace existing data privacy laws and more robustly protect consumer’s private data after it’s shared with different businesses. This is more important than it was when the original data protection acts were created, due to the much broader use of online shopping and activity which requires people to share their private data. The key changes from existing data laws, that are addressed in the GDPR include:
- Increased territorial scope – where companies around the world handling private data from EU citizens must comply with the GDPR rules.
- Penalties – the potential fines are much bigger than in the past.
- Consent – consent for use of private data must be implicit rather than implied.