First Line IT Managing Director Barrie Giles says that small businesses should not panic about the new EU data protection rules, but could take steps to make sure they are not caught out by legislation aimed at large multinationals.
I am writing this blog from the perspective of a small IT business. We have a responsibility to help our small business customers through this new set of rules, but also a responsibility to make sure our own house is in order.
GDPR (General Data Protection Regulations) come into effect on 25 May 2018 and will apply to the UK wherever we are with regard to Brexit.
Most articles on this subject start by talking about humungous fines if you get it wrong – but all they are trying to do is catch your attention or scare you into paying large consultancy fees to avoid any problems.
With GDPR, the EU Commission is effectively taking a huge cannon and pointing it at multi-national corporates such as Yahoo, Talk Talk and O2, who have been careless with our data in the past, let hackers get their hands on it, and then not said anything about it for many months.
It is these types of companies, who have multiple failures and fail to inform the authorities, who will be paying the large fines.
Speaking as a consumer, I am glad the EU is doing something about it; but sadly there is a danger that small businesses will get caught in the crossfire as usual. As this is a completely new set of regulations and there is no case law yet it is very difficult to know precisely what to do to avoid being caught out by the regulatory police.
The Information Commissioner’s Office website www.ico.org.uk is the best source of advice but even that can seem overwhelming.
The good news is that the GDPR does recognise that smaller businesses require different treatment to large or public enterprises. In the words of the regulations, a small business is any business that employs fewer than 250 people.
However, small businesses whose business model depends upon the regular processing of significant amounts of personal data, such as marketing companies, will need to pay more attention and put more effort in than the average B2B business, and should probably get specialist advice.
It all comes down to the size of the risk to the privacy of EU citizens.
The regulation is made up of 99 ‘Articles’, and you can see a record of them here.
Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data such as criminal records.
My view today is that if I do all of that and, most importantly, never have to report a breach, I will not be getting a visit from the regulatory police.
If I have the misfortune to suffer a reportable breach and thus become known to the authorities the worst that will happen in the first instance will be an audit, a list of actions to be taken, and a slap on the wrist.
So that’s my priority: to do everything I can to avoid a breach and make sure I delete anyone’s record when they ask so the ICO never gets to hear about my business.