Data Protection - That Only Applies To Large Companies Doesn't It?
In May 2018, the new European regulations on personal data protection will become law and replace the current Data Protection Act (DPA) in the UK.
The General Data Protection Regulation (GDPR) gives, and increases, the framework and scope of data protection legislation across Europe. The authorities are empowered to apply greater punishments for those who fail to comply with the new regulations that cover the handling and storage of personal data.
In the UK, the DPA dates back to the 1990s when the handling of data tended to be the sole focus of the Act. Modern technological advances in both hard and soft ware however, coupled with changing business strategies have now resulted in sophisticated data collection techniques becoming available and used by medium and even small businesses, especially in terms of marketing and analytics in general.
What is the biggest change due to GDPR as far as SMEs are concerned?
There are many new conditions that SMEs must act upon, but consensus is that the area of consent will generate the largest impact on SMEs.
GDPR requires all companies, regardless of size, who handle or store personal data to ensure they’re keeping an accurate record of when and how each individual gives consent for their data to be stored and/or how it’s used.
Also, consent cannot be passive it must be active. This means in practical terms that a formal agreement must be obtained and not inferred, say simply ticking a box on a form for example. This consent method must form part of a clear and auditable trail for individual consent that must be retained on record.
This of course also raises the question can consent be withdrawn or altered? GDPR places onus upon the company to provide an easy and swift method for withdrawal of consent for an individual. Further, the GDPR requires all personal data to be erased upon receipt of a withdrawal of consent. If a company breaks the rules, they have a duty of care to notify relevant authorities within 72 hours.
These, and many more new conditions imposed by GDPR, show how demanding the new regulations will be for SMEs. As a result, personal data protection is now firmly on the agenda for every type and size of business.