Are you aware that next year – if you hold any client or customer data digitally – you could be liable for a fine of up to 4% of your annual turnover if you’re found to be non-compliant with the new General Data Protection Regulation?
On May 25th, 2018 – irrespective of any other Brexit outcomes – GDPR comes into force replacing the current European legislation (the Data Protection Directive), and its UK equivalent (the Data Protection Act 1998), and it will profoundly alter the way SMEs manage and structure their customer and employee data. Non-compliance is not an option.
Consumers are going to be given beefed-up, world-leading digital rights. Data is power, and the UK wants to give consumers access to that power. This means consumers have to consent to the use of their data. They can withdraw that consent or request to see the data that companies have on them.
The new regulation applies to controllers and processors handling the personal data of individuals. Perhaps one of the most important things to note is that this new regulation applies to ALL organisations collecting and processing personal data of individuals regardless of the company’s physical location.
Article 4 of the GDPR clarifies the different roles between controllers v processors, which are defined as:
- Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
- Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Any small business that processes data for a client firm may have to demonstrate they have appropriate data-processing controls in place and they comply with the GDPR. Fines for being non-compliant are up to 2% of annual worldwide turnover in the previous financial year or €10 million, whichever is the greater for minor breaches and 4% of annual worldwide turnover in the previous financial year, or €20 million, for major breaches.
Misunderstanding over GDPR
Unfortunately it seems that many SME have a lack of understanding or knowledge about the new regulation or the heavy financial implications for non-compliance with 1 in 4 apparently stopping preparations for it in the mistaken belief that Brexit will mean they no longer have to comply.
A survey of IT decision makers at UK companies by information management firm Crown Records Management has found 24% are no longer preparing for the regulation. A further 4% have not even begun to prepare. More worryingly, 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit.
John Culkin, director of information management at Crown Records Management, said: “Firstly, it is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens. When you consider how many EU citizens live in the UK it’s hard to imagine many businesses here being unaffected.”
In addition, according to a June 2016 Close Brothers quarterly survey of UK SME owners and senior management from a range of sectors, 82% had either not heard of GDPR or didn’t understand its impact, with a further 14% saying they’d need to take advice. Only 4% of SMEs felt they understood the legislation and were clear about the effect GDPR would have on their business.
A similar study from Veritas Technologies, a leader in multi-Cloud data management, mistakenly believe they are already compliant with GDPR. Almost one-third (31%) of respondents said that their enterprise already conforms to the legislation’s key requirements.
However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. In fact, upon closer inspection, only 2% actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.