Is My SME Affected by GDPR?
GDPR stands for General Data Protection Regulation. The fines for a breach? 20 million euros or four percent of a company’s turnover.
That penalty is avoidable and clearly undesirable, so acting as early as possible will best position your SME to conduct business within the remit of legal practice. With legislation set to be in place by May 25th 2018 it’s important to recognise the impact that this will have on your business. One of the most prominent misconceptions is that GDPR will just be enforced on the largest multinationals, however, this is not strictly true. Companies will have to be compliant, regardless if you know what that looks like yet or not.
Insight 1: GDPR is an EU based initiative, however, will still be applied in the U.K. once Brexit is invoked.
Matt Hancock the UK’s digital Minister had this to say on the 22/March/2018 on the topic of Brexit and GDPR:
“There is clearly huge benefit for both the rest of the EU and the UK in having a strong, rich and deep relationship in terms of how data are transferred, but as the evidence of the past few days has shown, that must be done on the basis of strong data protection. That is why we have the Data Protection Bill before the House, and why we think that the GDPR is a good measure that we will not only implement but implement in full, and we will make sure that we have that relationship in the future.” (source: Parliament.co.uk)
This means that if your SME operates in Britain and across the EU you will not be exempt from compliance with new legislation.
How can my SME become GDPR compliant?
Clear Strategy has developed a framework (which we will discuss further in later posts) to assist and guide your SME through this stage of a companies journey. You are the expert on your business, so stay at the helm and run its operations. Preoccupation and concern with GDPR is noted as a huge headache for SMEs (Survey Source) directors and senior management, regardless of their region. The best method to ensure success and instil confidence and belief among your team and clients alike is to incorporate the frameworks from those whose full-time focus and research is to align SME operations with GDPR.
Insight 2: In many instances, a DPO (Data Protection Officer) appointment will be required.
The WP29¹ considers the necessary DPO skills and expertise to include expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- Understanding of the processing operations carried out;
- Understanding of information technologies and data security;
- Knowledge of the business sector and the organisation;
- Ability to promote a data protection culture within the organisation.
The role of the DPO may be contracted out to an external service provider and, where it is, the DPO may be a natural person or a legal person (e.g., a limited company).
For more information and clarity regarding this feel free to contact our GDPR specialist team at email@example.com.
GDPR Broken Down
In its most accessible, and summarised, format GDPR can be grouped into 4 categories
- Comprehensive understanding of data in your possession and transparency when using it.
- Empirically clear consent for data usage
- Data Security. Requiring GDPR compliance for all companies that operate within your supply chain.
- Facilitating user Requests to retrieve and deletion their data.
These four aspects of business strategy and operations are central to the efficient framework developed by the team at Clear Strategy who make GDPR their personal business.
Insight 3: GDPR is not retrospective
GDPR is currently within a phasing in period until May 25th 2018 when it becomes enforced. As it is not retrospective breaches of GDPR before this date will not be penalised, however, illicit activity can and will be from May 25th onwards.
If anything discussed above is relevant, confusing or thought-provoking reach out to Clear Strategy where our team of experts are on hand to guide your SME through change.
¹The Article 29 Working Party is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.