Three years later, GDPR compliance is critical for small businesses.
The UK General Data Protection Regulations (UK GDPR) took effect on January 1, 2021, and established the fundamental principles, rights, and duties applicable to data processing in the UK. It is almost completely based on the EU’s General Data Protection Regulation (which applied in the UK before January 2021) and coexists with the Data Protection Act 2018. (DPA).
With the proliferation of initialisms, it’s understandable that some small firms get overwhelmed. Some willfully disregard what they perceive to be an administrative burden, while others willfully violate data protection requirements. Whatever your position on the UK GDPR, one thing is certain: failing to comply might result in substantial penalties and reputational harm to your organisation.
The Information Commissioner’s Office enforces data protection laws in the United Kingdom (ICO). The ICO conducts most of its enforcement actions about aggressive direct marketing practices, such as nuisance calls and emails. For example, the ICO fined ColourCoat Ltd, a home renovation firm situated in Hastings, £130,000 in June 2021, to make a large number of direct marketing calls.
HOWEVER, the ICO’s enforcement actions are not confined to willful violations of rules. Mermaids, an organisation that assists transgender adolescents, was fined on July 8, 2021, for failing to safeguard its users’ personal information. The ICO identified a “negligent approach” to data protection in its report, citing insufficient data protection rules and a shortage of face-to-face data protection training. Even though Mermaids is a small charity with just 18 staff, and even though the ICO acknowledged Mermaids took urgent measures to limit the harm to data subjects upon becoming aware of the breach, Mermaids was fined £25,000.
This punishment shows the serious penalties that may await small enterprises that violate the GDPR in the United Kingdom, and SMEs should be aware that the degree of responsibility will be considered when computing monetary penalties. The good news is that since the UK GDPR essentially matches the EU GDPR, businesses complying with the EU GDPR should find themselves generally compliant with the UK GDPR. However, it is prudent to conduct a data audit or review to guarantee continuous compliance in light of the developments. With that in mind, let us discuss what may be done to guarantee that your firm complies with its data protection requirements.
Six measures to guarantee you are GDPR compliant in the United Kingdom
Maintain current policies and processes
Individuals whose data your firm collects must be notified through a privacy notice about the sorts of personal data you collect about them, how their data will be used, and for what purpose (s).
A data protection policy (a privacy standard) should be created for internal use. It should establish the principles and legal requirements that must be followed while acquiring, managing, processing, transmitting, or keeping personal data and data about customers, clients, suppliers, and employees. A revised policy will outline how your organisation handles personal data and educate staff about their responsibilities.
Businesses must examine contracts with third parties that include processing personal data and ensure they are up to date with each party’s duties, whether as a data controller or a data processor.
Educate your company
All staff must be informed of their data protection responsibilities. By educating them on your new rules, notices, and procedures, you can guarantee that they are implemented consistently and quickly. As illustrated in Mermaid’s instance, face-to-face training for workers is also excellent practice to guarantee that your workforce understands their responsibilities. In certain organisations, it is required to designate a data protection officer (DPO) responsible for developing and executing data processing plans and educating the organisation. Even if a statutory DPO appointment is not necessary, it is prudent to designate someone accountable for your organisation’s data security (such as a data manager). However, owing to a lack of resources, SMEs may not make this appointment. If this is the case, hiring a legal data protection expert may be worthwhile to ensure that everyone understands their duties.
Consents should be re-evaluated.
The GDPR in the United Kingdom establishes a high bar for consent. It must be clear, explicit, and voluntarily provided. Conduct a review of your organization’s consent procedures. Ensure, in particular, that approval is conditional on an affirmative “opt-in” action. This effectively eliminates pre-ticked boxes as a viable method of consenting since no affirmative signal can be offered. Consent should be kept distinct from other terms and conditions and should not be required to sign up for a service. Individuals must be informed of their right to withdraw permission at any time.
If your existing consent mechanisms are compliant with the UK GDPR, you do not necessarily need to obtain new consent. Still, you should review and consider whether new consent is necessary, particularly if a significant period has passed or there is a possibility that the purpose or scope of the processing for which consent was obtained has changed in any way.
The right of erasure
One of the GDPR’s provisions in the UK is the right to data erasure (“the right to be forgotten”). While this privilege is limited in scope, your organisation must have the capacity and processes to respond to such demands. You will have one month to provide a substantial response.
Requests for a subject access
Each individual has the right to access their data, and you’ll need appropriate processes in place to handle subject access requests. Access requests are often made in the context of ongoing conflicts or tribunal claims in the workplace. Individual clients who are unsatisfied with customer service are increasingly making requests. A person may legitimately request to view what personal data is being processed and correct. Others submit petitions to avoid the time, effort, and price associated with litigation and get a settlement. Whatever your objectives, be helpful, react substantively within a month (instead of 30 days under the previous rules), and offer data in a machine-readable way. You are not permitted to charge a fee under the UK GDPR, save in certain instances.
Resolving data breach incidents
Personnel must be thoroughly taught and equipped to comprehend and recognise data breaches. Your data manager or data protection officer will need further training after a data breach.
Employee error is a significant source of security hazards in SMEs. You will need to implement internal protocols and expect the same third-party processors to address data breaches. Include procedures for identifying a data breach, investigating it, and assessing the ramifications. Bear in mind that some breaches must be reported to the information commissioner within 72 hours after discovery, and affected data subjects must be notified when a real risk of damage exists.
Small businesses should take steps to ensure their data is securely managed, and those that do so will not only avoid potential fines and reputational damage but will also discover that their data handling, compliance processes, and contractual relationships are robust and reliable, ensuring their business remains secure for years to come.
Our articles are written with the utmost care. However, no liability may be taken for any individual who acts solely based on the information included in them. It is suggested that you get particular guidance in unique instances.