The internet has changed the world. A thief is no longer required to hold a bank at gunpoint to loot money. They can connect to the internet, hack databases and steal more money than they could probably ever find at their local bank.
For a long time, consumers and businesses were unaware of the fact that they were guarding enormous wealth. It took several data breaches for us to realise the true value of personal information.
So, should we hesitate in giving away our confidential data on the internet?
Should we uninstall applications that demand access to our sensitive information?
Should we ask ourselves constantly, how exactly secure is our data on the web?
The Introduction of the GDPR ensures that we never have to worry about these questions again.
The EU General Data Protection Regulation (GDPR) has replaced the EU directive that was implemented in 1995 to protect data. The GDPR has been designed to provide better security to the EU citizens from data and privacy breaches.
It gives the users greater control over the potential use of their personal information. It is a necessary measure considering how data driven our world has become in recent years.
But how does the implementation of GDPR affect a small business and its non-financial objectives?
Impact of GDPR on Businesses
GDPR will affect every business that holds personal data.
GDPR defines personal data as any information that can be used to directly or indirectly identify a natural person or ‘data subject’. This information includes:
- Postal Address
- E-mail Address
- IP Address of computer
- Details of Bank Account
- Medical Information
The GDPR is applicable to EU based businesses that collect or process personal data of those subjects that are based in the EU. Thus GDPR affects even those businesses that may be based outside the EU but collect or process the personal data of an EU citizen.
In 2017 itself, the Queen had declared in one of her speeches that the UK would continue to retain its world-class data protection regime. Since Brexit is still under negotiations, GDPR will be applicable to UK businesses as well.
Looking for a trusted local accountant?GET STARTED
The government too has assured that even after Brexit comes into effect, there shall be no impact on the implementation of GDPR and therefore UK companies will need to comply with GDPR even after the UK has parted ways with the European Union.
GDPR urges the businesses in possession of personal data to process the data lawfully, transparently and for a specific reason. If after the purpose has been achieved, the data is no longer required then it must be deleted.
What Major Changes Should Businesses Expect
Following are the implications of implementing GDPR:
The key principles relating to data privacy from the EU directive will still be applicable. However, the one significant change that the implementation of GDPR brings along is that the businesses involved in collection and processing of personal data will need to abide by GDPR irrespective of whether the data is being processed in the European Union or not.
Unlawful collection and processing of personal data will lead to prosecution of the concerned business and severe penalties can be levied. GDPR also does not provide any exemption for Cloud based storage.
It also prohibits businesses from using complicated terms and conditions which cannot be easily understood. It also requests businesses to seek the personal data in a way that is comprehensible and easy to access.
Sufficient care has been taken to ensure that data subjects can easily withdraw their consent whenever they wish to do so. They have also been given the right to enquire about the processing of their personal data, in terms of where and why it is being processed.
An additional right has been granted by the GDPR to the data subjects. It is known as the ‘right to be forgotten’. It forces the data controllers to
- Erase the personal data they have collected
- Stop its dissemination
- Prevent its processing by third parties.
GDPR will also ensure that the businesses are complying lawfully with the data privacy regulations. It will do so by asking the businesses to demonstrate how they are complying with the laws. As a result, businesses will need to keep detailed records of their processing activities and at the same time have the necessary organisational and technological measures in place to demonstrate that they are complying with GDPR.
Consequences of not complying with GDPR
The consequences of not complying with GDPR can be quite severe for businesses. They could be charged with a fine of up to €20m or 4% of its turnover, whichever is greater. The fine is greatly determined by the scale of the data breach.
Following are certain instrumental factors in determining the penalty that should be imposed:
- The presence of any intention behind the infringement
- Whether appropriate measures were taken to mitigate risk
- Nature of personal data
- Number of people affected by the infringement
- The extent of damage caused
- The amount of time for which the infringement lasted
- How the Information Commissioner’s Office (ICO) determined its occurrence
The size of the business will not be taken into account while determining the penalty, which could go up to £500,000. The fines will be collected by the treasury and not the ICO.
Besides the usual risk of running into legal problems with the ICO, there are far greater dangers that non-compliance of GDPR poses to the business and the society in general. It is therefore advised that you recruit a DPO or Data Protection Officer to ensure that your business does not fail to comply with GDPR.
Get in touch with us today to know more about ensuring your small business is complying with all UK laws, including tax responsibilities and accurate financial declarations.