SMEs ignore new data protection rules at their peril – make sure you’re ready.
Small businesses have just weeks to ensure they are prepared for the biggest shake-up in Europe’s data protection laws for more than two decades. For those playing catch-up, the European Union’s General Data Protection Regulation (GDPR), designed to harmonise and strengthen the rules on how organisations handle personal data, comes into force on 25 May. Personal data includes any information that could identify a customer, employee or any other individual about whom you have data.
The GDPR sets out severe penalties for failure to meet requirements, including fines of up to €20m or 4% of the company’s annual turnover (whichever is higher). For SMEs, the key is to be practical and proportionate. Your business may not have access to the resources that large organisations are throwing at GDPR compliance, but a common-sense approach starting with the steps below will get you there.
First, make sure you know what personal data your business already holds, where it is held, how you got it and who you share it with. How do you collect personal data on an ongoing basis? Figure out whether you have customers’ permission to use their data in the ways you do.
Next, you need a data policy that sets out your approach to personal information and answers all the questions you might be asked. It should define how you collect personal data and what you propose to do with the details; it should cover how you will keep this information secure and how you’ll get consent from customers to keep their data; and it should explain how people can make a complaint about the data you hold, or get it corrected or deleted.
The policy must also include a breach response plan, setting out what your organisation will do if there is a failure of some sort. Ensure that all your employees understand the policy. There may be creative ways to manage staff training efficiently. Are you a member of a local business group that offers training, for example, or could you team up with other SMEs to sort out training?
Outside your organisation, regulators expect you to take responsibility for the third parties with which they transact – if a data breach happens because of a failure at one of your suppliers, say, it will be your problem too. Ensure your supplier contracts include provisions that set out what third parties can and can’t do with data you share with them.
With time now short, be realistic and pragmatic about what matters to your organisation and the risks your company is exposed to. Identify your most sensitive data and how it is prioritised. Find out where the weak links in the chain may be. Finally, keep in mind that GDPR compliance is not a one-off exercise to be completed by 25 May and then forgotten. Make sure your data policy includes provisions for a regular review of your company’s practices.
Don’t miss out on broadband cash
Small businesses around the UK are being offered access to a £67m funding initiative designed to help them upgrade their broadband connections. The scheme targets small businesses throughout the country, which will be able to apply for vouchers worth up to £3,000 to help them secure ultra-
fast full-fibre broadband connections.
The initiative will run until 2021, or until the £67m is used up, and aims to build on a similar scheme in 2015 which saw more than 50,000 small businesses successfully apply for broadband vouchers. While this latest scheme has less funding than the previous one, which delivered vouchers worth more than £80m, ministers hope take-up this time will be similarly brisk.
The vouchers are designed to help small businesses meet the upfront costs of connecting to full-fibre broadband, which can be expensive, particularly in areas where providers are still rolling out their networks. Thereafter, businesses will pay their own rental costs.