In the modern world of technology, the General Data Protection Regulation (GDPR) has influenced the way in which data is stored, collected, and used.
In view of Brexit, Data Protection laws in the UK have become more stringent. Since the COVID-19 pandemic and with the increase of more people working remotely, small, and medium-sized enterprises (SMEs) have been forced to toughen their GDPR policies so that they remain GDPR compliant.
The general idea behind the GDPR is to give individuals more rights over their personal data.
Are you aware of the recent changes to the GDPR rules in the UK? Are you worried about remote working and GDPR? Do you know what impact GDPR will have on your business if you do not comply?
In this article we will cover all of this and more by answering the following questions:
1. What is the UK GDPR?
2. How does the UK GDPR apply to SMEs?
3. How can businesses ensure that they are complying with GDPR?
4. The Future of GDPR
1. What is the UK-GDPR?
The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. As a result of this, the UK GDPR now operates simultaneously alongside the Data Protection Act 2018. As the UK is no longer regulated by the EU GDPR, the UK now has its own version which is called the UK-GDPR.
The UK-GDPR took effect on 31st January 2020, Amendments have been made to adopt a legislative framework that is in a UK-only context. These amendments include the following:
Stricter consent requirements
According to Article 4(11) GDPR 2018, consent is ‘any freely given, specific, informed and clear indication of the data subject’s wishes by way of a statement or affirmative action. This is applicable to businesses as they must ensure that consent meets the new GDPR rules. One way in which businesses can check their consent practices is to keep consent under constant review. In other words, if anything changes businesses must be certain that they are prepared, and that consent is clear and easy to understand. If businesses, ensure that consent is their top priority it could enhance their reputation and client engagement.
Notification of a data breach to the Information and Commissioner’s Officer (ICO)
A data breach is a security incident where information is accessed without authorisation. Data breaches that involve clients or employee’s personal information can cause severe problems for SMEs. These problems could cause information to be deleted or stolen, a breach of legislation, financial loss and a damaged reputation.
Security risks are slightly higher for small businesses, this is because they are more likely to lack efficient data security practices. Also, small businesses tend to lack detection software that can identify a data breach quickly. This could have a major impact on SMEs as they are not as prepared to manage a cyber-attack. Under the Information Commissioner’s Office (ICO) a data breach must be reported within 72 hours of said breach.
2. How does the UK GDPR apply to SMEs?
Use of personal data (Staff and Customers)
Personal data includes any data that is held about someone and that could be used to identify them. Small businesses should assess how they use personal data, what data they hold and where it comes from. Once this has been established, SMEs can then better their approach to the GDPR rules. Under the GDPR, IP addresses are considered as personal data. Recital 30 of the GDPR stipulates that an ‘online identifier’ includes IP addresses.
Data Protection Officer (DPO)
Any business that processes large amounts of data must ensure that they appoint a DPO. Law firms hold sensitive personal information about customers or staff for example. Companies that have fewer than 250 employees do not need to keep a record of how they process personal data, unless they are processing data regularly, monitoring individuals or processing sensitive data.
3. How can businesses ensure that they are complying with GDPR?
Remaining GDPR compliant as a small business is pivotal to the reputation of your business. Small businesses need to incorporate six privacy principles into their business operations. These include:
Lawfulness, fairness, and transparency
Purpose limitations
Data minimisation
Accuracy
Storage limitations
Integrity and confidentiality
In view of the current COVID-19 pandemic, businesses have adopted more agile working practices to accommodate the current situation. The current circumstances have increased the demand for maintaining data protection and data security. SMEs could adopt a cybersecurity policy; a cybersecurity policy instructs employees on how to keep your business’s data safe. When businesses decide to implement a cybersecurity policy, it should cover the reasons why it exists, and it must be relayed in a clear, specific, and understandable way.
Further, with employees now working from home, businesses have started to make remote working more permanent. Companies must be extra cautious concerning personal data especially when working remotely. With the flexibility of working from home, organisations must ensure that data remains encrypted. For example, a lot of companies use Microsoft Office this will give them the option to encrypt their saved files. SMEs could also look at using a corporate Virtual Private Network (VPN) to limit the amount of sensitive data that is being accessed.
4. The Future of GDPR
In addition, small businesses must sign a data processing agreement to comply with the GDPR rules. Article 28 section 3 of the GDPR states ‘a data processing agreement is a legally binding contract that involves the rights and obligations of each party regarding the protection of personal data’. Data processing agreements are paramount for GDPR compliance, especially within the digital world SMEs must ensure that internal processes are in place to prevent unwarranted access to personal data. If businesses do not comply, they could be fined depending on the nature of the incident, either £7.9m or 2% of the company’s global turnover whichever is the highest.
Moreover, with the UK coming to a mutual agreement with the EU, speculation surrounded how GDPR would look post-Brexit. Both the UK and the EU temporarily agreed to a Trade Cooperation Agreement. This agreement involves a provision which allows data to flow between the UK and the EU. This has been put in place for sixth months, so that both the UK and the EU can continue to work together on digital trade in the future.
The bridging period can come to an end if the European Commission (EC) makes a decision on the UK’s ‘adequacy status’. This provides a level of personal data protection that is comparable to European Law. The deadline for this is the 1st April, if this does not happen then businesses of any size must put in place alternative arrangements. This essentially means putting in place binding corporate rules or standard contractual clauses on data protection.
How can Pure Business Law help ?
Our specialist Data Protection and Commercial Law solicitors in Bedford and London can assist you with the resolution of data protection issues. If you would like to discuss anything concerning GDPR or anything raised in this article, please do not hesitate to get in contact to speak with one of our solicitors. Pure Business Law is regulated by the Solicitors Regulation Authority and a licensed member of the Law Society of England & Wales.