What is GDPR (and what does it mean for small business owners?)



From 25th May 2018 we are set to see the biggest changes in data protection laws in this country for over 20 years.  The Data Protection Act, established in 1998 will be replaced by the EU’s General Data Protection Regulation (GDPR) which sets out strict new rules about the storage and use of personal data. This has huge implications for all businesses as failure to comply will incur huge penalties, which could be catastrophic for small business owners.

What is the Data Protection Act?

The act controls how personal information is used by an organisation. It sets out strict rules for anyone using data to ensure it’s used fairly and lawfully, for specific purposes and kept secure and safely. However, we know with the spate of high-profile cyber-attacks that data is not always secure. In fact, the Federation of Small Businesses (FSB) claims that small businesses are more likely to be targeted due to insufficient security.

Why are the rules changing?

The changes are being made to harmonise the standards across the EU, with so many businesses operating across borders. It is a much-needed update on the existing Act considering the changing technological landscape. What’s more, Brexit is unlikely to have any impact on GDPR and will not affect the start date.

What constitutes personal data?

The key difference between GDPR and the former DPA is the definition of ‘personal data’. With the new act, now any information that could potentially identify a person is classed as ‘personal data.’ This means any information kept on employees, customers or job applicants and IP addresses.

What are the new GDPR rules?

  • For large firms, with over 250 employees, a Data Protection Officer (DPO) must now be employed to collect and keep data securely.
  • For small businesses with under 250 employees, GDPR applies when: processing of data is likely to result in a risk to the rights and freedom of the subjects, it is more than occasional processing or includes special categories of data (which the act sets out in Article 9).
  • Any security breaches must be reported immediately to the Information Commissioner’s Office (ICO) – ideally within 24 hours but no more than 72 hours.
  • Individuals will have the right to withdraw their consent for the use of data, essentially becoming ‘forgotten’.
  • Failure to comply will lead to hefty punishments. The ICO can fine up to £500,000 for misuse but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).

How will GDPR impact me as a small business owner?

In theory, businesses with under 250 employees will not be bound by GDPR (set out in Article 30) – unless under the circumstances above. However, if your business routinely deals with personal data then you should abide by GDPR to protect your business.

The ICO has advised that any business which is affected by the DPA will also be affected by GDPR, so this is a good gauge.

Whether you are directly bound by GDPR or not, it will remain as good practice to ensure you have tight rules in place around the collection and use of data. This needs to be demonstrable if questioned.

More information can be found about GDPR on the ICO’s website including a self-assessment toolkit for SMEs. Look out for our next steps guidance series on GDPR coming soon…