GDPR – don’t get caught in the crossfire

Barrie Giles | August 9, 2017

First Line IT Managing Director Barrie Giles says that small businesses should not panic about the new EU data protection rules, but could take steps to make sure they are not caught out by legislation aimed at large multinationals.

I am writing this blog from the perspective of a small IT business. We have a responsibility to help our small business customers through this new set of rules, but also a responsibility to make sure our own house is in order.

GDPR (General Data Protection Regulations) come into effect on 25 May 2018 and will apply to the UK wherever we are with regard to Brexit.

Most articles on this subject start by talking about humungous fines if you get it wrong – but all they are trying to do is catch your attention or scare you into paying large consultancy fees to avoid any problems.

With GDPR, the EU Commission is effectively taking a huge cannon and pointing it at multi-national corporates such as Yahoo, Talk Talk and O2, who have been careless with our data in the past, let hackers get their hands on it, and then not said anything about it for many months.

It is these types of companies, who have multiple failures and fail to inform the authorities, who will be paying the large fines.

Speaking as a consumer, I am glad the EU is doing something about it; but sadly there is a danger that small businesses will get caught in the crossfire as usual. As this is a completely new set of regulations and there is no case law yet it is very difficult to know precisely what to do to avoid being caught out by the regulatory police.

The Information Commissioner’s Office website www.ico.org.uk is the best source of advice but even that can seem overwhelming.

The good news is that the GDPR does recognise that smaller businesses require different treatment to large or public enterprises. In the words of the regulations, a small business is any business that employs fewer than 250 people.

However, small businesses whose business model depends upon the regular processing of significant amounts of personal data, such as marketing companies, will need to pay more attention and put more effort in than the average B2B business, and should probably get specialist advice.

It all comes down to the size of the risk to the privacy of EU citizens.

The regulation is made up of 99 ‘Articles’, and you can see a record of them here.

Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data such as criminal records.

So GDPR does:

  • Apply to all businesses, but less so to small businesses – particularly those who are B2B
  • Only apply to data held by organisations relating to individuals

And GDPR does not:

  • Mean that a small business has to employ or appoint a DPO or Data Protection Officer
  • Mean you need to do anything other than know what data you hold, know where it is, know that you have permission to hold and use that data, and – most importantly – keep it safe if you are a small B2B business
  • Mean you will be unexpectedly fined an amount that could threaten the life of your business

So, what am I going to do for my business is:

  1. Make a list of the data I hold on individuals – such as HR files, payroll and marketing spreadsheets
  2. Make sure it’s up to date and delete anything or anyone I don’t need for my business
  3. Restrict access to the data by using folder permissions or password-controlled access only to those people who absolutely need to use it
  4. Seriously consider encrypting the data
  5. Review my network security
  6. Speak to any organisations that holds data on my behalf, such as payroll services, to ensure they are taking the right steps
  7. Hold off buying or importing any mailing lists until all this has settled down and I can be certain that for all the contacts on the list there is an auditable record of consent
  8. Have the ICO number to hand just in case we suffer a breach of our system. It must be reported within 72 hours.

 

Barrie Giles

My view today is that if I do all of that and, most importantly, never have to report a breach, I will not be getting a visit from the regulatory police.

If I have the misfortune to suffer a reportable breach and thus become known to the authorities the worst that will happen in the first instance will be an audit, a list of actions to be taken, and a slap on the wrist.

So that’s my priority: to do everything I can to avoid a breach and make sure I delete anyone’s record when they ask so the ICO never gets to hear about my business.