Is your business ready for the new GDPR effective from 25th May 2018?
Businesses are starting to panic as they try to comply with the General Data Protection Regulation (GDPR) before the 25th May 2018 deadline. It’s a wide-ranging regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed, including how it’s collected, stored and used. It affects every company in the world that processes personal data about people in the EU. Many believe that the GDPR won’t apply to them because they have fewer than 250 employees, infact it applies to every business that has customers, employees or clients in the EU.
Does it apply to me?
Any organisation, regardless of size, that regularly processes EU residents’ personal data must comply with the Regulation. However, SMEs may be exempt from the more rigorous steps.
Article 30, for example, states that the Article (which relates to the documentation controllers and processors must keep regarding data processing) “will not apply to small businesses except if the processing results in a risk to the rights and freedoms or data subjects, processing is not occasional, or the processing includes special categories of data as referred to in article 9, or personal data relating to criminal convictions and offences.”
This means you might not need the extensive documentation that larger organisations are required to keep. Nevertheless, you may find that your suppliers or customers will require you to have such documentation within their new GDPR-compliant contracts, so having it may give you a competitive advantage.
Data protection officers
The GDPR stipulates that certain organisations must appoint a data protection officer (DPO). There isn’t an exception for small businesses, so if you fall into the following categories, you’ll need a DPO:
- You are a public authority (except for courts acting in their judicial capacity).
- You carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking).
- You carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
The good news is, you aren’t obliged to hire a full-time employee for this role. You can have someone who performs this alongside other duties (if they aren’t processing data and don’t have a conflict of interest), you can share a DPO with other organisations, or you can outsource the role entirely. It may seem a daunting and expensive prospect, but there are cost-effective options out there for SMEs.