GDPR compliance is essential for UK-based SMEs

Business Insights
05/12/2016

The EU General Data Protection Regulation (GDPR) requires all organisations that collect and handle the personal data of European residents to fully comply with the Regulation by 25 May 2018. While this deadline might seem a long way off, small and medium-sized businesses should not delay their preparations. Here are a few reasons SMEs cannot afford to ignore the GDPR.

The UK Government has confirmed that the GDPR will apply to the UK

Although many UK-based organisations expect Brexit to exempt them from GDPR compliance, the Secretary of State for Culture, Media and Sport, Karen Bradley MP, has confirmed that the EU GDPR will apply to the UK: “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”.

Moreover, the Information Commissioner, Elizabeth Denham, said that the GDPR is good news for the UK, stating that “both the ICO and UK government have pushed for reform of the EU law for several years”. UK SMEs now have 18 months to achieve GDPR compliance.

SMEs cannot afford to ignore the GDPR fines for data breaches

To ensure that organisations comply with the Regulation, the GDPR enables authorities to impose effective, proportionate and dissuasive fines of up to 4% of annual worldwide turnover in the preceding financial year or €20 million, whichever is higher.

Besides incurring substantial administrative fines, businesses will also be required to notify the supervisory authority and affected data subjects of any data breach within 72 hours, which could cause further reputational damage.

Data protection officer (DPO) appointment for SMEs

Under the GDPR, worldwide businesses — including SMEs — will be required to appoint a data protection officer if their core activities consist of processing personal data on a large scale.

Individuals looking to step into the role of DPO can get a comprehensive understanding of the GDPR by attending IT Governance’s four-day Certified EU GDPR Practitioner training course. Alternatively, the one-day Certified EU GDPR Foundation training course provides a basic understanding of the Regulation. Each course supports professional development and is available in classroom, Live Online and distance learning formats.

The GDPR requires data flow management and updates to policies and procedures

The first step in GDPR compliance is a comprehensive data flow audit of personally identifiable information (PII) in order to create a data flow map that will help pinpoint the location of data. Following on from the data flow audit, businesses will need to update and create new policies and procedures to ensure compliance with the GDPR. These include documents such as a data protection policy, DPO requirements, privacy impact assessments (PIA), incident response and data breach notification, and reporting procedures.

As SMEs often lack the in-house expertise to achieve compliance with the GDPR, IT Governance has developed the EU GDPR Documentation Toolkit, which includes all the critical documents needed for GDPR compliance.

To find out how IT Governance can support your GDPR compliance project, please visit the website, email servicecentre@itgovernance.co.uk, or call +44 (0)845 070 1750