14th May 2018
NB: This BLOG is deliberately written without pulling any punches!
There are only a few days left before the Europe wide GDPR regulations on Data Protection come into force as the Data Protection Act 2018 and revolutionise the landscape of Data Protection in the UK.
Here at Transition Law we must report a serious and worrying trend of apathy and ignorance about GDPR throughout the SME businesses we deal with on a daily basis.
This BLOG has been written to dispel some myths and hopefully serve as a call to action for any small business people who have not yet considered their position after 25th May 2018
MYTH 1. - It wont apply to me.
GDPR applies to EVERYONE who processes personal Data. The detailed definition of this is quite complicated but in its simplest terms if someone has given you their data (name, address, phone number, bank details etc etc.) in the past after 25th May you will need to be able to demonstrate that they have specifically consented to allow you to continue to use it.
MYTH 2. - I'll just carry on as usual, no one will bother me about it.
After 25th May consumers will be more informed about their Data Protection rights than ever before. They will be educated to ask for the details of whatever data you hold about them, called a Data Subject Access Request (SAR) and you MUST BY LAW have the following in place
i) A written policy about how you deal with these requests
ii) Provide them with information about how to complain about you
iii) Comply with their request for FREE and within a one month TIMESCALE
iv) Have a system for recovering the information you hold and getting it to the enquirer.
v) Have the ability to identify and respond both to the individual or any THIRD PARTY they have authorised to act for them.
MYTH 3. - The Information Commissioners office (ICO) has got better things to do than worry about small fry like me.
Generally speaking this may be true but they cannot ignore a complaint about you, if one is made they will have to act.
A competitor of yours just wants to cause you trouble, slow down your day to day business processes and give themselves an advantage by tying you up in red tape, so they get one of your customers to give them third party rights to make a Subject Access Request on their behalf and then after you fail to deal with it correctly, report you to the ICO who will then have to act against you.
MYTH 4. The ICO has no real powers.
The ICO's powers will be increased under the GDPR regulations, the cost of a Data Controllers Licence will increase (Did you even know you need one right now?) and most of the things you can get wrong become criminal offences.
However, in the last few months and under the CURRENT regulations quite large fines have been levied on SME businesses Eg. A Doctors surgery in Hertfordshire was fined £40,000 for a Data Breach, A Texting sales company in Stockport was fined £19,000 and a telephone sales company was fined £100,000 all as a result of the CURRENT rules which are not as strong and far reaching as the new ones!
If you have not ALREADY acted to protect your business or do not feel you FULLY understand what you have to do then time is running out.
Please contact us Today to assist you, we have a (very) few places left on our introductory course next weekend (20th May) which is only 5 days before GDPR begins.
All attendees on the course will receive a FREE compliance manual to ensure their businesses have created a good foundation for their new compliance responsibilities.
Ignorance of the Law is never a defence and although the ICO have said they will be fair and proportional in their responses, they have also said they will take a dim view of business people who have simply ignored the opportunity to prepare for this massive change.