While many UK-based SMEs might expect Brexit to exempt them from compliance, the Information Commissioner has confirmed that the EU General Data Protection Regulation (GDPR) will apply to the UK and has issued practical advice to help SMEs comply with the new regulation.
SMEs are not exempt from GDPR compliance
In a recent video, Information Commissioner Elizabeth Denham addressed boards and executives on the topic of the GDPR, saying: “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.” While SMEs that process EU residents’ data are not exempt, the good news is that it could be easier to achieve compliance than it is for a large multinational.
What does the GDPR means for SMEs?
Although small business owners may consider this just another administrative burden, ignoring the GDPR or getting it wrong could have costly repercussions: organisations found to be in breach of the Regulation face administrative fines of up to 4 per cent of their annual global turnover or €20 million – whichever is greater.
Businesses that take the time to properly prepare for and comply with the Regulation will not only avoid significant fines and reputational damage, but will also find that their data handling, information security, compliance processes and contractual relationships are more robust and reliable. They can also make sure marketing efforts are focused on the right customers by ensuring data is up to date and accurate.
Initiate your GDPR compliance project
Initiating a compliance project should be on every organisation’s agenda ahead of May 2018. While it’s not necessarily overly onerous for SMEs and the timeline is likely to span a number of months, the time to act is now.
Data protection professionals are encouraged to get a comprehensive and practical understanding of the Regulation, its requirements and its obligations in order to implement controls, policies and procedures to protect personal data.
Individuals looking to step into the role of data protection officer (DPO) can get a comprehensive understanding of the GDPR by attending IT Governance’s four-day Certified EU GDPR Practitioner Training Course. Alternatively, the one-day Certified EU GDPR Foundation Training Course provides a basic understanding of the Regulation. Each course supports professional development and is available in classroom, Live Online and distance learning formats.
Understand your GDPR compliance position
An essential step in starting a GDPR project is understanding your current GDPR compliance position. The GDPR Gap Analysis service assesses your organisation’s current level of compliance with the Regulation, and helps identify and prioritise the key work areas that your organisation must address, such as DPO requirements, data protection impact assessments (DPIAs), incident response and data breach notification, and subject access requests.
Develop policies and procedures in compliance with the GDPR
Moreover, the GDPR requires organisations to implement appropriate technical and organisational measures to protect data subjects’ information. SMEs often lack the in-house expertise and resources to develop policies in compliance with the GDPR, so IT Governance has developed the EU GDPR Documentation Toolkit, which includes all the critical documents needed for GDPR compliance.
Businesses need to notify authorities of a data breach within 72 hours
The GDPR requires data controllers to report a data breach to their supervisory authority within 72 hours of discovering the incident. As a result, your business will need a data breach reporting procedure alongside an incident response plan that will provide data processors with guidance in the event of a data breach, manage its impact and ensure you fulfil your responsibilities.
Implement baseline security measures with Cyber Essentials
Considering the repercussions of a data breach under the GDPR, it’s imperative that organisations implement information security best practice. The Cyber Essentials scheme is a cost-effective way for small businesses to establish a baseline of cyber security and is designed to prevent around 80 per cent of cyber threats. Certification demonstrates to clients, insurers, investors and other interested parties that your organisation has taken the necessary precautions to reduce cyber risks.