Home | News & Blog | Could new data protection rules mean the end of SMEs?

ShareCould new data protection rules mean the end of SMEs?

Data Protection. Whatever your views on it, it’s about to take up a whole lot more of your time, even if you’re a sole trader.

The General Data Protection Regulation (GDPR) is the new legislation to come from Brussels which is designed to create consistent data protection laws that apply to every European citizen and which aims to “strengthen consumer protection and enhance trust and confidence in how personal data is used and managed”. This new law replaces 1995’s Data Protection Directive (from which the Data Protection Act was born) and covers how personal data is gathered, stored, shared, processed and used.

The GDPR has been four years in the making and, although it’s not due to be formally published until this summer and then enforced in 2018, it’s already bringing the subject of data protection into the boardroom for the simple reason that a DP breach poses such a massive financial risk that even the largest company could see its operating profit disappear.

Using TalkTalk to put it into context – if GDPR had been in place last October when the data of 150,000 customers was compromised, the fine for the breach alone could have amounted to almost £72 million (based on 4% of their 2015 global revenue), a cool £12 million more than the reported total financial cost and enough to wipe out their £54 million operating profit.

Scaremongering or just plain scary?

You might consider this scaremongering but the truth is that the fines that’ll be levied for breaches are scary. Operating on a tiered basis, you’ll be asked to cough up 2% of annual global revenue for not having the required records in order, not notifying the supervising authority and data subject (ie the person to whom the data relates) about a breach, or not conducting impact assessments. But this rises to 4% of turnover for violations relating to data security and consumer consent. For SME’s, these fines could mean the end of your business, full stop.

Will my business be impacted?

Quite simply, yes. As the definition of ‘personal data’ has been broadened, the GDPR rules will impact every business across the world that does business with and collects or processes the data of a European citizen.

The new definition is that personal data is any data that can directly or indirectly identify an individual “in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”. The use of ‘online identifier’ ensures that there is no doubt that IP addresses and cookies are now considered personal information and therefore subject to the same protections as your name, age, address and bank details.

What else do I need to know?

Aside from severe penalties for breaches and a change in the definition of personal data, you also need to be aware that:

  • The rules around consent have been strengthened so you’ll need to seek “unambiguous or explicit” consent from your customers more often. Consent for data processing is not transferrable within your organisation, instead you need to ask for consent for each individual and specific purpose of data processing. This means that you’ll need separate consent to process a customer’s data for billing and separate consent to use their data for marketing purposes, for example. You also need to be aware that consent can be withdrawn at any time and action should be taken immediately to update your records and those of anyone that processes the data on your behalf.
  • Businesses that are larger than 250 employees, or those whose activities require “regular and systematic monitoring of data subjects on a large scale” will need to appoint an expert Data Protection Officer (DPO) to ensure that their business is compliant with the rules. The DPO can either be employed or retained under a service contract.
  • You’ll need to notify the data protection authority within 72 hours of being aware that a breach has occurred. This is more than just saying ‘we’ve had a DP breach’ though; you’ll be expected to include information relating to the “categories of data, records touched and approximate number of data subjects [i.e. customers] affected”.

What about Brexit?

You might be thinking that a departure from the EU would mean that the UK wouldn’t need to comply with the legislation, but you’d be wrong. Doing nothing to improve the standards of protection afforded by our Data Protection Act would mean that the UK could be deemed an unsafe place to do business. Aside from damaging business relationships and our economy, this would place us in effectively the same shoes as the US, which is having long and drawn-out conversations regarding the EU-US Privacy Shield (the replacement to the now dead ‘Safe Harbor’ agreement). To this end, we would have to implement the core elements of the GDPR to be considered a safe place to transfer European’s personal data.

And the Investigatory Powers Bill?

For all of his rhetoric imploring British citizens to vote ‘stay’, David Cameron and his left-hand-lady Theresa May appear to not have noticed that the IPB isn’t compatible with the GDPR legislation, with which we must comply 100% if we remain an EU Member State. Of course, the logical outcome if we do ‘stay’ is that the EU will rule the IPB unlawful, although we’ve been surprised by the illogical approach of the “powers that be” many times before.

In the meantime we won’t comment on whether or not the leaders of our country fail to have a grasp on the big picture – you can reach your own conclusions.  

Have your say!

Are you already making preparations to comply with the GDPR or is this legislation news to you? Whatever your situation, we want to know your views so please leave a comment below.

Related articles

Further information


Share this article:

Rate our article...

Sorry, comments for this entry are closed at this time.