GDPR and SMEs – The Implications of Change
- Accountability – You need to be able to prove your abidance to the new regulations, no matter the size of the business.
- Notification of Data Breaches – Reporting any breaches to the regulators within 72 hours of noticing it. If it is a large breach in privacy, all companies are required to notify their customers. For minor breaches in privacy, where the breach won’t have any serious consequences on the customers, SMEs may decide whether or not to notify their customers.
- Consumer Consent and Privacy Notices – Businesses require customers’ permission to use the data they collect from them, and are obliged to remove customer data from their database if the customer asks them to. Under GDPR, all companies will also need to update their privacy policies and notify their customers of the change. (Articles 12 to 23)
Also note that any international agreements on transfer of personal data made before 24 May 2016 will remain in force ‘until amended, replaced or revoked’ (Article 96). In simpler terms, any previous agreements which fell before that date will continue to use the older laws until a change or new agreement is made, as per the new GDPR regulations.
- Makes it easier to find out laws regarding data protection, as opposed to having to sift through the 28 previous data regulations in place.
- SMEs are officially recognized as being different to larger corporations, and thus receive exemptions from the stricter policies aimed towards larger firms.
- The costs of adapting to the laws are not as high as the news make it out to be – A Propeller Insights survey estimates 36% will pay less than €100,000, and a further 26% will pay under €1m.
- Laws bring clarity – the previous laws, designed in 1995, were not intended for the modern technology or social media platforms we have now; the GDPR helps clarify these areas.
- If you fail to abide by the law, you may face €20m or 4% of your annual global turnover in fines, as seen in Article 83.
- Following the new ‘Privacy by Design’ (Article 25), companies gathering data must hold and process only the data which is necessary for the provision of its duties.
- Increased awareness of the importance of online protection from the introduction of the law may coerce businesses to become more transparent, which could disclose sensitive information.
- If you deal with very personal data (eg. racial/ethnic data, sexual orientation data, political views data) you may be required to hire a Data Protection Officer to oversee data security and adherence to the GDPR (refer to Article 37 for more detailed information).
- If you want to take precautions to ensure you comply with the regulations, these are a good place to start:
- Be aware of the new requirements, as aforementioned.
- Take measures to ensure you comply with GDPR, such as having codes of conduct in place, as per Article 40.
- Secure the data you hold, ensuring you comply with Article 32.
- Draw up reports on your compliance with all the regulations.