3 Oct 2017

What does GDPR mean for SMEs?

New data protection regulations come into force on 25 May 2018. They are far more stringent and carry significantly harsher penalties than existing regulations. They will affect all organisations processing personal data of individuals and action needs to be taken now to ensure compliance.

There has been a lot of hype in the media about the General Data Protection Regulation, frequently shortened to GDPR, and we have already seen evidence of larger organisations auditing and reviewing their processes and procedures for collecting and storing personal data. Many have started holding information sessions for staff to explain how the changes might affect them in their roles.

For a small or medium-sized enterprise, the changes can be both daunting and confusing, so below we have answered some of the main questions.   

Read our latest Blog - GDPR

What is GDPR and what exactly does it mean for SMEs?
GDPR is a new pan-European regulation which replaces each country’s existing data protection regulations, the current European Data Protection Directive and its UK equivalent, the Data Protection Act 1998.

It will apply to all member states and ensure that governance of data processing is the same across the whole of the EU. 

As the UK will still be part of the EU when GDPR comes into force, it will apply to the UK as well.

The British Government has already made clear that all extant EU regulation will be subsumed into UK law before the UK leaves the EU so GDPR will continue to apply in the UK post-Brexit. 

Why do we have this regulation?
The purpose of GDPR is to impose certain conditions on organisations which handle personal data to ensure that the consumer/individual knows what is happening to their information, ie, where it is going, what it is being used for, who else might see it and how long it will be kept on file. It also seeks to ensure that data is kept secure and is not used in a way that is excessive or unfair.

What will these changes mean for SMEs?
All businesses processing data from bases in the EU will need to comply with the rules and all businesses offering goods/services to consumers in the EU, even if they are based outside the EU, will be impacted.

Some changes include:

Businesses will need to give their consumers much more information than ever before about the identity of all the third parties who handle their data.

All businesses will need to review the way their IT systems store, process and manipulate an individuals’ data and check it is legal.

All businesses will need to adopt a much more rigorous approach to data protection than before.

SMEs will feel the effect of these changes because many are simply unaware of their obligations and the level of fines for non-compliance.

What if SMEs ignore the rules or are found to be non-compliant?
Non-compliant businesses can be fined up 20m euros or four per cent of global turnover, whichever is the greater, for each breach of compliance. That should be enough to make most business owners take notice.

What do SMEs need to do and when?
Now is the time to implement some of the changes required under GDPR, simply because of the extent by which the new rules will change current practice.

Auditing of existing compliance should not take too long, but the time it takes to redress any discovered non-compliance could be lengthy. Not acting now could leave an organisation exposed to a claim of non-compliance in just eight months.

So, this was a glimpse of what GDPR could mean to an organisation. It has highlighted the consequence of getting it wrong and touched on some of the changes that are going to come into effect.

SMEs need to ACT NOW to ensure they are ready for GDPR.

To support SMEs in preparation for GDPR, the Digital Growth Programme is hosting a series of FREE breakfast seminars under the heading ‘Getting Ready for GDPR’.

The seminars will be delivered across Derbyshire, Nottinghamshire and Leicestershire by expert consultant Lee Callender. Lee is Director at C4 Ventures and specialises in email marketing. Lee has managed over 1,000 campaigns over the past eight years and is one of the Digital Growth Programme’s consultants*. To book your place please follow the links below.

8 December: Getting Ready for GDPR seminar, Palace Hotel, Buxton 
17 January: Getting Ready for GDPR seminar, Trent Lock Golf Club, Erewash 
23 January: Getting Ready for GDPR seminar, Park Inn Radisson, Nottingham 
12 February: Getting Ready for GDPR seminar, Turbine Innovation Centre, Worksop 
22 February: Getting Ready for GDPR seminar, i-Centre, Mansfield 
2 March: Getting Ready for GDPR seminar, Newark Centre, Newark 

*Please note that is an awareness-raising seminar and our expert speaker will not be offering legal advice regarding GDPR. For a more information about GDPR and links to the Information Commissioner’s Office please click here