GDPR and the SME: What it means for you
We look at how data protection laws continue to impact SME’s
It’s been almost five years since the General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018 came into force, with organisations of all sizes expected to be up to scratch with their compliance procedures.
The new regulations have already seen the UK’s data regulator set an example using the data breaches affecting British Airways and the Marriott hotel chain. These investigations have resulted in notices to fine the two companies £183 million and £99 million respectively. However, British Airways was saved by the Pandemic and only fined £20 million.
However, for British Airways, they have since had to settle the compensation claims made against the company. Whilst the amount is not known, with legal fees we can be sure the figure is substantial.
However, while larger corporations have so far faced the toughest action, it’s just as important for small businesses to adhere to the rules. This is because fines can be scaled by a percentage of revenue.
Unfortunately, for smaller businesses, the added dimension of Brexit may also play a role in disrupting day-to-day operations once the UK has fully left the EU. While GDPR will be enshrined into UK law as part of the European Withdrawal act, the limited ways in which UK businesses are legally able to receive data from the EU will hit small businesses the hardest, should the UK fail to reach a data adequacy agreement.
Do I need to obey the GDPR?
Yes, you do. There’s a lot of misinformation floating around the internet on this topic, especially when it comes to the UK’s relationship with the EU.
Fundamentally, GDPR still applies now we have left to the European Union. Not only have the principles of GDPR been applied to UK law in the form of the Data Protection Act 2018, the EU’s data protection laws will also be enshrined into the UK law as part of the European Withdrawal Act and subsequent law, the DPPEC.
Most articles of the GDPR apply to both large and small businesses. In that sense, small businesses need to follow the same rules and advice set out in our Guide to the GDPR.
Are there differences in the laws?
Some differences do exist, however. In Article 30 of GDPR, small businesses with fewer than 250 employees are exempt from having to keep records of their processing activities. Whether that is in the capacity of a controller or as a processor. This exemption is removed if the processing is likely to create risk to the rights and freedoms of data subjects Or, if processing happens on a regular basis.
It’s also generally understood that small businesses have fewer resources than larger organisations. Therefore, the Information Commissioner’s Office will consider any difficulties a smaller firm might encounter when trying to comply with the law.
Aside from these minor stipulations, small businesses should consider themselves equal to larger firms in the eyes of GDPR. This includes keeping internal records if you do not meet the exemption criteria.
The GDPR established joint liability. Therefore, small businesses that work with larger corporations will need to comply with those same legal requirements.
Do I need a data protection officer?
Yes, you might. The factors behind whether or not you need such an officer are based on what data you collect, and how much of it you collect. The size of your business is not relevant. If your central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a data protection officer.
You must also appoint one if you collect records of criminal convictions, ethnicity, religious or philosophical beliefs, political opinions, trades union membership details, health, sex life, or sexual orientation data on a large scale.
The EU does state that “a group” may employ one data protection officer between them, if the officer is readily available to each organisation.
The data protection officer is there to “inform and advise” on data collection practices and monitor compliance. The DPO is also the point of contact with the data protection authority.
You may not need a Data protection Officer, but you must appoint a ‘responsible person’ who can own the GDPR in your business. Also, a company director should not be a DPO as this can create a conflict of interest.
Will I be fined for getting it wrong?
Organisations can face fines of up to 2% of their annual turnover or €10 million, whichever is higher, for infringing the GDPR code of practice. This includes failing to meet compliance requirements and inadequately assessing risk as part of a data protection impact assessment.
For actual breaches of people’s personal data, that rises to 4% of turnover or €20 million, whichever is higher.
“Whichever is higher” is the key phrase for SME’s, who could be financially ruined by a data breach. This means the risks are just as serious than for a multinational enterprise. A large business could absorb the penalty in its next financial quarter without too much of an impact.
However, these fines must also be proportionate and generally are. If your policies and governance framework are designed to adhere to GDPR, and you suffer a breach, the ICO would be unlikely to levy a harsh fine against you. You will need to prove that you have tried to adhere to the GDPR. To do this you will need to have extensive record-keeping and your data protection impact assessment(s) in place. Appropriate policies and procedures will also need to be evidenced.
If, however, you cannot prove you’ve made any effort to comply with GDPR, and look ignorant of the law, the ICO will be more likely to issue a fine.
Should I be 100% GDPR compliant by now?
Although GDPR is now almost five years old, most companies are yet to be fully compliant with GDPR. In fact, it’s arguably impossible to be 100% compliant. This is because some of the regulation’s provisions are incompatible with some of the existing legal requirements UK businesses face.
The good news is that the ICO is sensitive to this issue. Provided you are demonstrating a will to abide by the new regulations, you’re unlikely to receive a visit from an enforcement officer.
How will Brexit affect small businesses?
When GDPR came into force, one of the biggest concerns at the time was what the uncertainty of the relationship between the UK and the EU. In particular, the capacity to move data across borders. The biggest worry was that a no-deal Brexit would put a stop to data transfers from EU territories to the UK. This would have meant UK businesses storing data in Europe for any particular reason would face monumental disruption and high costs.
These issues were down to the lack of a data adequacy agreement between the EU and the UK. Adequacy is required for data to be allowed to migrate between the EU and a third country (the UK is now a third country). Since the Withdrawal Agreement didn’t contain any provisions for adequacy, the EU was compelled to conduct an assessment as to whether the UK’s laws were sufficiently harmonised with its own.
Without an adequacy agreement, businesses would need to rely on either standard contractual clauses (SCCs) or binding corporate rules, which are expensive channels that require heavy legal consultation. This is something small businesses would have struggled with. What’s more, the European Court of Justice was at one stage considering the legal validity of SCCs. A ruling last June declared that while the Privacy Shield was no longer valid as a mechanism for transferring data between the UK and US, SCCs were still usable.
The UK was granted adequacy in June of 2020. However, the agreement allows the EU to reassess whether the UK’s data protection laws are in sync with GDPR every four years. Therefore, any revision to the law by the UK parliament should be considered carefully as loss of adequacy could have serious consequences.
For members of Your Business Community, a free review of your GDPR is available by getting in touch here.