DATA PROTECTION AND THE SMALL BUSINESS – LIFE BEFORE GDPR?
The General Data Protection Regulation is very much a hot topic currently with many people taking the view that there is plenty of time to get things sorted out. After all, nothing must be ready until the 25th of May 2018 so there is loads of time.
Is There Enough Time to Comply With GDPR?
Are we basing our calculations on the assumption that businesses and other organisations are already compliant with their data protection obligations? Is everyone who should be already registered with the ICO and have data protection policies beautifully crafted to comply with the law (and any other related obligations of course)? Are they completing everything properly and on time, just as the policy says it will be?
Unfortunately, the organisations that have already faced the enforcement wrath of the ICO would say otherwise. Many more organisations, yet to be challenged, have woefully inadequate processes, policies and understanding of the current legislation, and no knowledge of the GDPR changes expected.
Surely though, larger organisations are compliant and are getting it right all the time?
No. They are not.
On the 22nd May the ICO reported that they were following up an undertaking given by the Royal Bank of Scotland to ensure that they have “appropriately addressed the actions agreed” relating to data protection issues – see http://bit.ly/2qMpENh
On the 4th May 2017, the ICO reported issuing a fine of £150,000 after “three DVDs containing footage of interviews with victims of violent or sexual crimes got lost in the post” – see https://ico.org.uk/action-weve-taken/enforcement/greater-manchester-police/
If large organisations are struggling, what about micros and small businesses?
The reality is that many small businesses
- who should be registered with the ICO are not
- do not have a data protection policy and so
- are not currently complying with data protection law.
The problem is that if you are not compliant with your current data protection obligations it’s going to be harder to get it all right after the 25th May 2018. Leaving it until the last minute is going to give you an impossible job to do.
What should you be doing over the next 6 months?
Step 1 – Understand
Start by taking the time to understand how you need to comply with your data protection obligations.
Step 2 – Assess
Assess how far you are complying with those obligations so that you know exactly where you stand.
Step 3 – Plan
Plan what you will need to do to ensure current compliance (prioritising the most urgent matters) and set yourself a deadline of November 2017 to get it all in place.
Step 4 – Act – It’s all in the Execution
Begin to put measures in place in accordance with your plan.
Step 5 Monitor
Check progress at least once a month so that you can most effectively manage the process.
This should then leave you compliant with current data protection obligations and with 6 months available to tweak things for GDPR compliance.
Isn’t this a waste of time with GDPR set to change things?
No, because for many smaller businesses the changes from DPA compliance to GDPR compliance will be manageable. Things will certainly be a lot easier if data protection compliance is already in place and familiar. After all, it’s easier to learn to perfect something if you have strength in the core.
Need an Incentive to do this?
You might be wondering what your incentive is to get your data protection compliance in order. How does losing 4% of your turnover because you’ve been fined work as an incentive? Yes, that is the top end of the fines and it’s likely fines will be lower than this but do you really want to take the risk?
Call us for friendly, affordable, practical help, training and assessment services on 01244 300413, use Live Chat, email us at GDPR@lawhound.co.uk or put your details in the big boxes on our web site home page and we will be in touch.