GDPR and small businesses
What is GDPR?
If it’s not something you have heard of already, it’s definitely something you will be hearing about over the next six months! The General Data Protection Regulation (GDPR) replaces the Data Protection Act (1998), and will apply to all organisations as of 25th May 2018. It’s focused on looking after the privacy and rights of individuals, and based on the premise that individuals should have knowledge of what data is held about them and how it’s used.
Why is this important for you?
Being a small business does not mean you are exempt from GDPR. All businesses need to be aware and take steps to get ready for GDPR.
Taking the time to properly prepare and comply with GDPR will mean your data handling, information security and processes are more robust and reliable, it could even give you a competitive advantage.
What are the main updates?
The 8 principles for processing information:
Consent – There are more prescriptive requirements for obtaining consent under the GDPR and employees must be able to withdraw their consent at any time. This will make it harder for employers to rely on consent to justify processing. Employers will need to rely on one of the other legal grounds to process personal data.
Privacy notices – Under the current law, employers are required to provide employees and job applicants with a privacy notice setting out certain information. Under the GDPR, employers will need to provide more detailed information, such as:
Data Protection Officers – Businesses with over 250 employees will have to appoint a Data Protection Officer (DPO), to manage compliance within the business. Even if an organisation is not required to appoint a DPO, responsibility for compliance should be assigned to a specified individual.
Data breaches – Where there has been a data breach (such as an accidental or unlawful loss, or disclosure of personal data), the employer will have to notify the data protection authority within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified.
How to prepare/What help is there?
The Information Commissioner’s Office (ICO) have provided a 12-step guide for preparing for GDPR which can be viewed at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf. ICO have also launched a helpline to help SMEs prepare for GDPR, you can contact them on 0303 123 1113 – select option 4 to be diverted to staff who can offer support.
Look out for the Breathing Space HR webinar coming soon for a full guide to GDPR. If you wish to discuss how to get GDPR ready, please call us on 0113 386 9270.