GDPR: what does the new EU data protection law mean for small businesses?

After we published last week’s 2017 to-do list for General Data Protection Regulation (GDPR) compliance, readers asked the question: what, if any, impact does this have on small businesses?

The answer: quite a bit.

GDPR requires that any company doing business in the EU – no matter the size – more securely collect, store and use personal information. And like the big guys, smaller companies face fines for violations that may occur.

But the regulation accounts for the fact that smaller businesses lack the same resources as larger enterprises. UK-based data protection consultancy DataHelp makes note of the differences on its website:

Under the current law, as contained in the Data Protection Act, (DPA), the same rules apply, regardless of the size of an organisation. However, the General Data Protection Regulation (GDPR), which will replace the DPA and which is expected to come into force sometime in 2018, recognises that SMEs require different treatment from both large and public enterprises.

One area of concern for small businesses is the GDPR requirement that companies hire a data protection officer. But, as Incisive Business Media’s V3 site notes, that part is for firms with more than 250 employees.

“Smaller firms may still need to employ someone in this role if handling personal data is core to their operations,” V3’s Dan Worth writes. “This may not have to be a full-time employee, but could be an ad-hoc consultant, and therefore, would be much less costly,’”

DataHelp notes that GDPR includes new obligations and liabilities for data processors, specifically:

  • provision of an appropriate level of security
  • data breach notifications to controllers
  • designation of DPOs
  • record-keeping
  • direct liability to pay compensation
  • policing of controllers and assistance with the controller’s compliance with its security obligations
  • breach notifications
  • impact assessments and prior consultations with data protection authorities

The requirement that processors take on more of those responsibilities may sound great if you run a small business, but DataHelp offers this bit of caution:

There is a reasonable likelihood that current agreements between controllers and processors will not be compliant with the GDPR and will probably need updating. This gives processors a foot in the door to renegotiate the terms and potentially re-allocate the risks imposed on them by the GDPR. SMEs are often not in a strong negotiating position when buying or selling processing activities with larger commercial enterprises and so care should be taken when such agreements are renegotiated.

Daunting as it all may seem, small businesses can take comfort in this: as long as they can demonstrate that they’ve put their best foot forward to meet the requirements of GDPR, regulators will work with them on any problems that might arise.

The key is to bring in the right consultants and document all actions taken.

For more specifics on what needs to be done, read through last week’s checklist.