Data is increasingly becoming the most valuable commodity for businesses and as such, one of the most protected.
Considering the GDPR is an update to the Data Protection Act which first came into force in 1998, when one gigabyte of data cost one thousand times what it does today, the new regulation is seen by many as long overdue. There was some uncertainty as to whether SMEs would be subject to the GDPR, with earlier drafts of the regulation pointing towards ‘large scale’, but any ambiguity was dispelled when it was later confirmed by the Information Commissioner’s Office earlier this year that SMEs are most certainly not exempt. But will the comparative cost of complying with the GDPR be unfair to SMEs who may lack the time, resources and investment large businesses can afford?
On the face of it there appears to be some relief for SMEs, given that the GDPR excludes companies that employ fewer than 250 people from some of the additional data processing requirements. However, SMEs will still need to figure out where they stand with the GDPR and which exemptions may apply based on the type of data being processed. With fines of up to €20 million or 4% of global turnover, it should make any business sit up and take notice.
Among the important changes is the need to gain explicit consent (consent will no longer be inferred from silence such as leaving a pre-ticked box) by an individual for their information to be used, including all information previously held if such consent was not given at the time. Individuals will need to be informed of these changes through new privacy policies and the GDPR permits individuals to withhold consent and request all held data on them be deleted, the so-called ‘right to be forgotten’. Businesses will need to comply with the obligation to erase personal data ‘without undue delay’, which could become a time consuming task should a large group of individuals invoke the right all at once. There are some exemptions to this however and businesses will be able to refuse a request when personal data is processed for specific reasons, such as the exercise of legal claims or when it is in the public interest.
The more rigorous consent threshold will also mean that any third parties using the information will need to be named when an individual is asked for their consent. A potential impact of this being that if an individual sees their information is to be used by a third party, with no direct benefit to them, the chances are that they won’t consent. Third parties who process data on behalf of other parties will also be subject to a higher responsibility when it comes to handling data and any contracts with third parties will need to be re-visited.
Ultimately, the biggest determining factor as to which businesses will be affected the most is not so much the size or type of business, but how well a business has kept record of its data until now. The major changes brought by the GDPR require knowledge of the data which is controlled and processed by a business. So if this has already been logged and recorded effectively then the transition should be more streamlined. Yet the GDPR will widen the definition of what ‘personal data’ can be, extending its reach to online identifiers such as IP addresses and covers both automated personal data and paper records where personal data is accessible according to specific criteria. Thus any affected business, regardless of size, will now need to compile a definitive catalogue of the data they have on record, check that it is processed in compliance with the GDPR and, if necessary, overhaul the way information is stored, collected and transferred to be ready for May 2018.
Whilst for now it would appear that the GDPR does not in a material way disadvantage SMEs, they do make up 99% of the UK’s businesses and may well find themselves under the spotlight when it comes to compliance.