The Curry Club is all about business. Whenever we can, we like to give our members useful information to help their businesses thrive. Welcome to the GDPR. If you have no idea what that means, read on…
April 2016 saw the General Data Protection Regulation – AKA GDPR – come into being, and it will come into effect during the next couple of years. Those in the know say it is ‘one of the most significant and anticipated pieces of legislation conceived in the EU in recent years’. But most small and medium-sized businesses in Britain haven’t even heard of it, never mind know what it means to them.
We went looking for information about the EU’s new data protection legislation, and what it means for your small business. It turned out to be quite a journey.
Mass ignorance over GDPR
A recent study reveals 82% of UK companies have either not heard of GDPR or don’t understand it, and 14% want more advice. Just 4% of SMEs surveyed say they understand the legislation and know what effect it’ll have on their business. And it’s a dangerous situation, when the penalty for non-compliance can be as high as 4% of your annual revenue or 20 million Euros, whichever is the highest. Ouch.
When does GDPR come into law?
UK businesses used to have to abide by the Data Protection Act 1998, laws set in place long before the internet went mainstream, when most data manipulation was still manual. The digital world is very different, and discussions have been ongoing in the EU for many years about a new data protection regime.
In late 2015 the European Parliament approved the General Data Protection Regulation, and it was finally adopted formally in April. Now it’s the law, and you have two years to comply, the last-ditch date being the 25th May 2018.
Poor explanations don’t help
It’s no surprise so many SMEs are confused and remain ignorant, since the information provided by official sources is written in difficult-to-understand language, not Plain English. We’ve explored any number of websites offering advice, and not one of them bothers to explain the practical aspects and implications of the new Act clearly or simply. But that’s nothing new. The old-school Data protection legislation was equally difficult to grasp, equally opaque, just as poorly-communicated. The people who expect us to go by the rules are, as usual, not making it easy.
5 key steps
Having said that. We’ve managed to glean four key pieces of guidance from a massive collection of dense, poorly-written and badly-expressed information. Here they are.
- Privacy by Design – You need to start implementing privacy by design principles designed to help you avoid keeping personal data beyond its original purpose, and give people access and ownership of their data. Here’s a decent cheat-sheet revealing how to do it (click here).
- People’s right to be forgotten – For most companies, this means consumers have the right to erase their data quickly and easily. If the data controller gives people’s personal data to other third-parties, they will also have to erase it when the data controller asks them to.
- US multinationals must safeguard data – If US companies collect data about EU residents, they must implement data security in the same way as if their servers were based in Europe
- Think about hiring a Data Protection Officer. Hm. Right. So SMEs are supposed to hire a dedicated expert to deal with data protection? You could give someone in your company the powers of a DPO, as an alternative, but it’s still likely to be a potentially expensive, complex and time-consuming task.
If you’re confused, you’re not alone. Will some bright spark decide to put together a plain language, easy-to-understand, practical how-to guide to the new data protection law? Something like. ‘if you do x with data, you need to do y’? If so they’ll do us all a great service. Until then, the GDPR will remain more or less impossible to get to grips with unless you’re a lawyer or data protection guru.