General Data Protection Regulation (GDPR) Changes For Your Small Business

31/10/2017

News

General Data Protection Regulation

With the introduction of the General Data Protection Regulation (GDPR) fast approaching, it is a good idea for businesses to start taking action now. Taking effect from the 25th May 2018, the GDPR has many similarities to the current Data Protection Act (DPA). However, there are some new developments that businesses may not be so familiar with, which will no doubt have an impact on the way they work.

Research from law firm Collyer Bristow found that 55% of small businesses in the UK are still unfamiliar with the updated regulation. And in addition to this, 18% of small businesses would be at risk of insolvency if they were hit with the new maximum fine for not complying to the regulations.

So with this is mind, here are a few of the changes that businesses should be aware of:

Clear Consent

The introduction of the GDPR will mean that terms around consent will be getting more explicit and businesses may need to rethink the ways in which they are collecting data. An example of this will be the practice of an active opt-in process for individuals. According to the new guidelines, consent should be given freely and there must be a positive opt-in, for example when an individual is filling in a form and agrees for their details to be shared with third parties. This means that pre-ticked boxes where the individual has to consciously untick the box, which was previously frowned upon, will no longer be allowed.

The ‘Right To Be Forgotten’

As well as changed regulations on consent, the GDPR will also enforce the right to erasure, or the ‘right to be forgotten’ as it was previously known. This enables an individual to request the deletion or removal of personal data in cases where there is no reason for the data to continue to be stored. Some of these circumstances may include cases where an individual withdraws consent or needs data to be deleted in order to comply with a legal obligation. Your responsibility as a business lies in respecting this right and making sure you are able to effectively remove this data when asked to do so.

Security Breaches

Having the right procedures in place to detect, report and investigate a personal data breach will be essential when the new guidelines come into effect; as the GDPR will introduce the obligation to report certain types of data breach to the relevant supervisory authority, or even to the affected individuals in some cases. A data breach could include personal data being lost, destroyed or even simply accessed when the security surrounding it has been breached. As this can have serious consequences, the right actions need to be taken and proper reporting needs to be put in place.

Breaches that need to be reported to the supervisory authority include cases where there’s a risk of identity theft, discrimination, financial loss, or loss of confidentiality. Incidents will also need to be reported to individuals if their rights or freedoms are at risk.

The Data You Hold

When it comes to the data your business holds, you should always be able to document where it came from and who you share it with. If you’re unable to do this, then you’ll need to review the data that you process to make sure you’re able to account for it moving forward.

This also complies with the accountability principle which asks for businesses to be able to show the effective policies and procedures they have in place. And while a lot of businesses will be focused on customer data, it’s also important to remember that this applies to all data; including any employee data that you may have, or data from anyone who has ever handed over their details to you - for example, an individual applying for a job at your company.

An International Standard

Another point to remember with the new regulations is that they will apply to data processing all over the world, not just in the country that it’s being processed in. And although it is being introduced as the new legal framework in the EU, compliance is still required for non-EU companies dealing with EU companies.

While this may seem like a lot to get your head around, a big part of the process is raising awareness in your business. This means highlighting the impact these regulations will have on your company as well as how it will affect individual employees. You can do this by holding educational sessions with your employees around what the GDPR is and how they can prepare for the changes.

You could also have a thorough review of all your current processes, and appoint a data protection office who can take responsibility for driving this forward. Having everyone on board is sure to make it a whole lot easier!

For more information, you can check out the ICO for additional resources.

The Liberis Cash Advance - designed to help UK SMEs
  • Apply in minutes for £2,500-£300,000 and if successful see funds within as little as 24 hours
  • You pay back only when you earn – no fixed monthly payments
  • You keep 100% of your cash income
  • One clear cost, no APR
  • No fees, hidden charges or penalties. Ever
Founding member
The Association of Alternative Business Finance
Join our mailing list
Thank you for signing up to our newsletter
Registered in England and Wales No: 5654231. Address: One Hammersmith Broadway, London W6 9DL
Liberis is a responsible financial provider. Liberis does not offer 'short-term loans'. The minimum expected duration of a Business Cash Advance is 120 days / 4 months and typical expected durations are 6-12 months. These business financing products are not consumer loans.