European data protection laws are changing
The new European personal data regulations come into force in 2018 – and SMEs need to start preparing now.
In May next year, the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
While this new framework comes into place as the UK enters the process of uncoupling from the EU, the Great Repeal Act means it it is likely to be converted into British law.
The DPA dates from the 1990s, and a time when only the largest companies had the means to collect and store significant amounts of data.
In the intervening years, the ease and sophistication of data collection means that thousands of SMEs not only collect personal details, but store, move and access them online. Personal data is used in everything from sales to customer relationship management to marketing.
Cybercriminals have been quick to see the opportunity. In 2016, companies in the UK lost more than £1billion to cybercrime. Major data breaches have given criminals access to names, birthdates and addresses and even social security and pension information.
Moreover, a recent report from the Federation of Small Businesses (FSB) claims that SMEs are now more likely to be targeted by cybercriminals than their large corporate counterparts. Cybercriminals consider SMEs softer targets than their well-defended corporate counterparts.
Which is why the GDPR is considered long overdue by many authorities, and ignorance will be no defence for SMEs who fail to comply.
What does GDPR mean for SMEs?
Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.
In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
These new conditions alone – and there are many more – show just how demanding the new regulations will be for companies of all sizes. GDPR forces SMEs to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. Monitoring protocols must be able to recognise and act on breaches as soon as they happen, and an incident recovery plan put in place to deal with the repercussions.
“Privacy by design and default is the cornerstone of the GDPR,” says Anita Bencsik, data security senior consultant at BT, which provides a consultancy service for businesses to check if they have got the right security in place.
She adds: “This stipulates that — from the initial stages onwards — organisations must consider the impact that processing personal data can have on an individual’s privacy. This means, for example, that every new business process or product that could involve personal data or impact the privacy of an individual, must be designed in accordance with data protection requirements.”
Preparing for all this will require a full information audit and, for many companies, a change in culture, which SMEs should start to plan and implement well in advance of the 2018 deadline. Personal data is a key tool for SMEs looking to target and retain customers: GDPR means it must be handled with the utmost care.
BT has produced a white paper, Dealing with new EU data-protection regulation, which outlines the implications of the new regulations and offers insight into how to best prepare for their implementation.