The EU General Data Protection Regulation (GDPR) is set to become law on the 25th of May 2018, and will essentially replace the numerous laws on data protection with one overlying protocol. The GDPR relates to businesses of all sizes, and small to medium enterprises can benefit from preparing themselves for the changes ahead.
The idea behind the GDPR is to transfer control of personal data from businesses to the individuals concerned, which means that people can request their personal data be removed from company records if they wish. Whether or not data is being stored consensually has become increasingly relevant in recent years, and there are many reasons people might want to remove or protect their personal data in the digital age. With that in mind, the best thing Irish SMEs can do is know their role and be prepared.
Will it affect my business?
Any business that involves processing personal data is affected by GDPR, so while there are some exceptions, it’s likely that yours will be too. Personal data doesn’t just include customer and supplier data, which many businesses handle, but also employee data – names and dates of birth, addresses, phone numbers, and other contact details are all personal data. Storing customer or employee data either digitally or on paper constitutes personal data processing, so almost all businesses will be affected by GDPR laws.
Understanding the seven core principles of data processing outlined in Article 6 is really crucial to grasp. Most critically, you need to understand and explain to any individual whose data you are processing, your legitimate basis for doing so.
It’s important to figure out whether you’ll fall into the category of data controller or data processor. Perhaps you’re both like a company who is a data controller for customer data but a data processor for employee data.
What should I do?
There are a number of steps you might need to take to comply with the new regulations. First things first: identify exactly what and how much personal data your business handles. This process is described in detail of Article 30 of the GDPR here.
Once that’s done, The Irish Data Protection Commissioner recommends that all businesses review their data processing and bring staff up to speed. Staff Awareness Training would be a great move, as anyone handling or processing personal data in your business is directly affected. Reviewing the policies and procedures in place for data handling will be necessary, as will auditing IT systems to determine whether they’re compliant or need to be updated. From this point on it’s a good idea to start doing business with GDPR in mind, including drafting or signing contracts and entering business agreements.
It’s important to figure out whether you’ll fall into the category of data controller or data processor. Data controllers determine the purpose of the data being stored – for example, a florist who keeps the addresses of clients to make repeat deliveries is controlling that data. A data processor, on the other hand, simply processes data on behalf of data controllers. If you manage social media or perform IT services for other companies, you fall under the category of data processor.
Not sure which category you’re in? There’s a lot of overlap, so it’s quite likely both.
Regardless, companies in either category will need to take definite steps:
- Record a general description of data security measures taken by the business. Encrypting data, limiting who has access – that kind of thing.
- For data transfer to non-EEA countries, record where the data is sent and the safeguards that are in place to protect it. More information can be found in Articles 44 – 50.
- Record your company’s details and the details of your Data Protection Officer, if you need one, or your designated EU representative if your company is based outside the EU.
By now, you may well be crossing your fingers hoping you’re exempt. Nobody likes extra paperwork after all.
It’s true that a small business can be exempt from GPDR. Broadly speaking, businesses of fewer than 250 employees are exempt but you must hold internal records of your processing activities, where the data being processed could risk somebody's rights and freedoms, where data is not processed occasionally, or if your processing includes sensitive data and data relating to criminal convictions and offences (article 30.5)
Sensing a catch somewhere? Here it is.
Businesses of this size are exempt if the data protection is considered to be ‘occasional’, but due to the lack of detail in Article 30.5, contacting the Data Protection Commissioner directly to see if it applies to your business is strongly recommended. Typically, a business in the modern era that handles data at all is processing data quite frequently, but it’s worth determining whether your processing is classed as occasional or not.
Businesses whose personal data processing carries a risk to the rights and freedoms of the people in question must comply, regardless of the business size or anything else. If you’re dealing with medical records or other sensitive information, you have to comply, and that’s that. Those are pretty broad requirements, so it’s likely that the vast majority of businesses will need to comply.
Sounds like a lot of work? Look at the bright side. With added responsibility comes opportunity as well, particularly for SMEs.
Benefits of GDPR for Irish SMEs
Like a lot of EU regulations, the GDPR can seem like yet more bureaucratic input from the EU, but it is geared towards streamlining trade and interconnectivity between EU nations. Yes, there’s preparation to be done, but the GDPR will make it easier for small enterprises to do business within the EU, as well as giving individuals increased control over their personal data.
This is becoming more important in the age of digital identity fraud and targeted advertising. Compliance will increase consumer trust in businesses, benefiting everyone involved. Also, having one set of rules instead of numerous ones simplifies the process of doing business abroad. Less international red tape is great news for Irish exporters, and far from being an unnecessary hassle, GDPR can actually help Irish SMEs break into new markets and stay competitive.
Of course, for that to happen, you’ll need to be prepared, so don’t put it on the long finger. The sooner you familiarise yourself with the new regulations, the sooner you can make it work to your advantage and give your business an edge over your competitors.
As always, it's best to do your own research and get an understanding of how it will specifically affect your business. You may even want to consider seeking some expert help from a data consultancy or legal advisor.