Now that the planned General Data Protection Regulation (GDPR) changes are just nine months away, there are likely to be a number of firms – of all sizes – still scrambling to discover what they need to do to be compliant with these changes, in order to avoid the hefty publicised fines.
The best place to start is to become familiar with the detail of the GDPR and how the incoming new rules will affect your existing business, date use and storage planning. It’s also useful to know the GDPR rules that have been specifically designed for small businesses, or SMEs.
SME GDPR Regulatory Caveat
Following a lengthy consultation period, the incoming GDPR has recognised that smaller businesses aren’t able to achieve exactly the same as larger businesses. And also, that not all the rules that are relevant to bigger firms are relevant to SMEs.
Indeed, in article 30 of the regulation, the GDPR states that businesses with fewer than 250 employees are exempt from much of the legislation – “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
However, considering how much data is requested, processed, used and stored by most businesses of all sizes, small business advisory specialists Global Resources LLC, are of the opinion it would be prudent for SME’s to create new personal-data related guidelines, in line with much of the GDPR.
Back to GDPR Basics
As you will no doubt be aware, GDPR has been designed to replace existing data privacy laws and more robustly protect consumer’s private data after it’s shared with different businesses. This is more important than it was when the original data protection acts were created, due to the much broader use of online shopping and activity which requires people to share their private data.
The key changes from existing data laws, that are addressed in the GDPR include:
- Increased territorial scope – where companies around the world handling private data from EU citizens must comply with the GDPR rules.
- Penalties – the potential fines are much bigger than in the past.
- Consent – consent for use of private data must be implicit rather than implied.
Therefore, while some small businesses are potentially exempt from these rules, it would make sense to act in accordance with them as much as possible, so you’re prepared if your business grows and exceeds an employee count of 250. And also, it’s always a good idea to treat your customer’s data with the respect and privacy it deserves – and that you would no doubt like your private data to be treated with, too.
With that in mind, making some changes to the text you use around consent and data use is something you could change quite easily, to become GDPR compliant and also put your clients’ minds at ease, with regards to your use of their private data.