Giving more and more right to the consumer always seems like the right thing to do, but what will it mean for you as an SMB? Since the GDPR come into force, companies have been scrambling to keep up with the new law. It applies thought out EU and gives much more say to the consumers regarding what info about them the company can collect.
In this great scheme of things, where do the SMBs find themselves? Let’s look at a few questions that might be circling around your head as an SMB.
Do I need to abide by GDPR?
Yes, my friend, you do!
There might be some info floating around the net that you don’t, but that’s false. It has been made very clear by both EU and Information Commissioner’s Office that you absolutely have to follow the rules. This confusion is probably due to Article 30, which states that there are different types of records SMB’s and large firms have to maintain.
If you have less than 250 employees then you must hold interval records of your processing activity, where the data being recorded could risk someone’s life or freedom or where the data relates to criminal conviction and offenses.
For firms with more than 250 employees, a more detailed record is required. Right from the name and details of your organization, the name and details of your data protection officer; why you’re processing the data, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data. Details of any foreign transfers of that data outside the EU including documentation proving that data will be safeguarded abroad, retention schedules, and a description of your technical and organizational security measures all these need to be maintained very meticulously.
Do you need a data protection officer?
You certainly might!
Whether you need one or not depends on the data you collect and not on the size of your business. But if your reason for collecting the data is too regularly and systemically monitor data on a large scale, then you might need one.
It is also advisable to appoint one if the data you collect deals with records of criminal conviction, religious or philosophical beliefs, political opinions, trade union membership, health, sex life or sexual orientation data on a large scale.
The main work of a data protection officer will be to monitor data and advice on collection practices and to be a point of contact between your company and the data authorities.
What fines might you need to pay if you get into trouble?
The fines that levied can be very hefty. It can go as high as £50000. When the new data rules apply, an organization can face a fine up to @% of their annual turnover or €10 million, whichever is higher, for infringing GDPR’s code of practice.
This amount of fine can potentially make the any SMB go bankrupt.
How do you prepare when GDPR come into force?
Considering how dangerous is it to break the GDP’s norms, but the ignorance about the rules and regulations is still quite high. One survey from the London Chamber of Commerce and Industry found that a quarter of London businesses were entirely ignorant of GDPR.
Some things to keep a track of for SMB’s are-
- Document what personal data you hold.
Sift through all the personal data you hold. See what purpose was it collected for. Where did it come from? Who is it about and is it still relevant?
- Ensure you can honor citizen’s data request.
Under GDPR, the EU citizens can request you to delete, amend or move the data you collected to a certain organization. Your process and tech must make it possible to honor these requests within a month.
- Establish a lawful basis for processing data.
Under GDPR opt-out boxes don’t work anymore. Instead, you need to have a lawful establish to process a citizen’s data. If the consent is given, then it must be opt-in and the citizen will give the data only to be processed for a limited period of time, for a clearly defined purpose. The consent can also be withdrawn, so it’s wise to consider all the lawful basis you can use to process the data.
- Be prepared for data breaches.
Ensure your process allows notifying and alerting the data protection authority within 72 hours of the breach.
- Appoint a data protection officer.
It may at times look like it’s not required, but trust us; you always want someone keeping a very careful eye on the data that comes in. It’s always better to be safe than sorry.
For more info on GDPR and how you can make sure you are always following rules, contact us at Datahut, your big data experts.