Toward the end of last year, the Information Commissioners’ Office published some further guidance about data privacy aimed at the SME market (Small/Medium-Sized Enterprises). This adds to their growing library of guidance publications and self-assessment tools and products aimed at informing organisations about their obligations under the General Data Protection Regulations (GDPR) and how to comply with the rules on processing and protecting individuals’ personal data.
ICO’s tools include a step by step checklist called “How well do you comply with data protection law: an assessment for small business owners and sole traders” which takes the user through a series of questions to prompt SMEs to look at their understanding of the data protection obligations and how the GDPR may apply to their business and what the organisation should be doing to protect the data that it may be processing.
Remind me what GDPR is about?
In brief, the GDPR gives rights to individuals and their personal data. This in turn means that organisations will have an increased regulatory burden and additional obligations and responsibilities to make sure that personal data they hold is protected. This includes providing clearer information to individuals about how and why they hold that data, informing the individuals of their own rights over their data, and that ensuring the organisation has adequate security for the protection of that data. Organisations must also have in place and maintain a process on how to identify, assess and deal with any breaches of the security of that personal data.
ICO’s Hub also reminds companies that every organisation that processes personal data (unless exempt) must pay a fee to ICO. Failure to pay is a civil offence (and ICO issues fines for non payment). For more information about ICO fees, see https://ico.org.uk/for-organisations/data-protection-fee/
Some SMEs are concerned about the perceived disproportionate administrative burden on them. However, both ICO and the European Commission have been clear that the application of the data protection regulation depends not on the size of the organisation but on the nature of the activities. Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by an SME or by a large corporation, trigger the application of more stringent rules. Nevertheless, some of the obligations of the GDPR may not apply to all SMEs, such as some of the reporting obligations or that most small organisations won’t need to appoint someone to the formal role of Data Protection Officer.
What do we have to do?
One of ICO’s key aims is to make organisations aware of their obligations. The key issues to look at are:
- What personal data do you hold and what do you do with it?
- Why do you hold it – can you justify it under one of the legal grounds set out in the GDPR?
- What do you tell the affected individual about the data you hold on them?
- How do you keep the data safe?
Penalties for non-compliance
There may be significant fines and penalties for organisations who breach the GDPR (depending on the nature of the incident). For more administrative breaches, fines may be up to almost £8m or 2% of a company’s global turnover (whichever is higher), with fines for more significant incidents up to £17m or 4% of global annual turnover.
So maybe the question that SMEs should be asking themselves is can you afford not to comply?
Our advice is those who have still not given much thought to GDPR and how it affects their business is to make it a (belated) new years’ resolution and to take the first step and follow ICO’s checklist.
Our lawyers provide expert legal advice to your business to ensure that your documents, including your websites and contacts are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business.
For more information, or for advice on the application of the GDPR to your organisation and what steps your business should take to comply with the regime, including drafting or amending your Privacy Notice or compliance documents, please get in touch with us at [email protected] or contact Rachel Robinson, the author of this blog post at LawBite.
This note is a summary of the GDPR and does not constitute legal advice.
The author of this Blog article, Rachel Robinson.
Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.