New data laws loom

Small businesses ignore new data protection rules at their peril, says David Prosser – make sure you’re ready.


Do you know where your data is?
(Image credit: This content is subject to copyright.)

SMEs ignore new data protection rules at their peril make sure you're ready.

Small businesses have just weeks to ensure they are prepared for the biggest shake-up in Europe's data protection laws for more than two decades. For those playing catch-up, the European Union's General Data Protection Regulation (GDPR), designed to harmonise and strengthen the rules on how organisations handle personal data, comes into force on 25 May. Personal data includes any information that could identify a customer, employee or any other individual about whom you have data.

The GDPR sets out severe penalties for failure to meet requirements, including fines of up to €20m or 4% of the company's annual turnover (whichever is higher). For SMEs, the key is to be practical and proportionate. Your business may not have access to the resources that large organisations are throwing at GDPR compliance, but a common-sense approach starting with the steps below will get you there.

Subscribe to MoneyWeek

Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE

Get 6 issues free

Sign up to Money Morning

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

Sign up

First, make sure you know what personal data your business already holds, where it is held, how you got it and who you share it with. How do you collect personal data on an ongoing basis? Figure out whether you have customers' permission to use their data in the ways you do.

Next, you need a data policy that sets out your approach to personal information and answers all the questions you might be asked. It should define how you collect personal data and what you propose to do with the details; it should cover how you will keep this information secure and how you'll get consent from customers to keep their data; and it should explain how people can make a complaint about the data you hold, or get it corrected or deleted.

The policy must also include a breach response plan, setting out what your organisation will do if there is a failure of some sort. Ensure that all your employees understand the policy. There may be creative ways to manage staff training efficiently. Are you a member of a local business group that offers training, for example, or could you team up with other SMEs to sort out training?

Outside your organisation, regulators expect you to take responsibility for the third parties with which they transact if a data breach happens because of a failure at one of your suppliers, say, it will be your problem too. Ensure your supplier contracts include provisions that set out what third parties can and can't do with data you share with them.

With time now short, be realistic and pragmatic about what matters to your organisation and the risks your company is exposed to. Identify your most sensitive data and how it is prioritised. Find out where the weak links in the chain may be. Finally, keep in mind that GDPR compliance is not a one-off exercise to be completed by 25 May and then forgotten. Make sure your data policy includes provisions for a regular review of your company's practices.

Don't miss out on broadband cash

Small businesses around the UK are being offered access to a £67m funding initiative designed to help them upgrade their broadband connections. The scheme targets small businesses throughout the country, which will be able to apply for vouchers worth up to £3,000 to help them secure ultra-fast full-fibre broadband connections.

The initiative will run until 2021, or until the £67m is used up, and aims to build on a similar scheme in 2015 which saw more than 50,000 small businesses successfully apply for broadband vouchers. While this latest scheme has less funding than the previous one, which delivered vouchers worth more than £80m, ministers hope take-up this time will be similarly brisk.

The vouchers are designed to help small businesses meet the upfront costs of connecting to full-fibre broadband, which can be expensive, particularly in areas where providers are still rolling out their networks. Thereafter, businesses will pay their own rental costs.

David Prosser
Business Columnist

David Prosser is a regular MoneyWeek columnist, writing on small business and entrepreneurship, as well as pensions and other forms of tax-efficient savings and investments. David has been a financial journalist for almost 30 years, specialising initially in personal finance, and then in broader business coverage. He has worked for national newspaper groups including The Financial Times, The Guardian and Observer, Express Newspapers and, most recently, The Independent, where he served for more than three years as business editor.