Small businesses and changes to EU data protection
The EU Parliament has been debating a number of significant changes to data protection laws that marks the biggest changes to privacy regulation in the past two decades. It has serious implications for businesses in the European Union, including the UK, and experts are advising business owners to take action as soon as possible to ensure legal compliance. The changes will make current EU data protection regulations, currently only enforced in some countries or by individual court rulings, compulsory across all 28 EU member states, including the UK.
To find out what these changes mean for small businesses, and identify any steps that you may need to take – scroll down, or use the links below to navigate.
- What changes are being made?
- How will the changes impact small businesses?
- When will the changes take effect?
- What actions do SME owners need to take?
What changes are being made?
The new General Data Protection Regulations (“regulations”) are intended to be more reflective of the current digital age - by giving consumers greater say in how their personal data is used by companies and making businesses more responsible for how they handle and retain data. Key changes in the new data protection package include:
- More stringent requirements for consent
Businesses will be required to obtain clear and specific consent from consumers in order to acquire their data. For instance, the pre-ticked boxes commonly seen on online registration forms will not be considered explicit consent, and will not comply with the new laws. In this example, the action of ticking a box indicates a consumer’s consent, and so boxes must not be pre-ticked.
The right to be forgotten Consumers will be able to request that a business stop using or collecting data on them, effectively requesting to be ‘forgotten’. This also includes deleting existing data profiles and updating incorrect or outdated information. For business owners, it means that they stand the risk of potentially losing valuable customer data at the request of consumers.
The right to transfer data Consumers will be able to request their data profiles from a business that has collected information on them, so that they can supply it to another business. For instance, in situations where a consumer wishes to transfer their custom to a rival company.
Employment of a data protection officer Many businesses will be required to employ a data protection officer to manage the way the firm handles data. This is only applicable to small and medium sized businesses if data processing is a core function of the business’s proposition – for instance as with many marketing firms.
Watchdogs’ power to issue fines National watchdogs will have the power to issue hefty fines to businesses who misuse consumer data in relation to the new laws.
Reporting of data breaches Companies will be required to report data breaches to regulators within a 3 day time period, else face penalty.
Joint liability for companies Currently, only data controllers bear liability for breaches of data protection laws. The new regulations will make both data controllers and data processors responsible. For example, if a retailer (the data controller) outsources the management of customer information to a marketing firm (the data processor), both would be legally responsible for a breach of data law.
As a general summary, the new responsibilities will apply as follows:
|Small Business (little to no personal data stored)||Large Business (all customer data stored and processed)|
|More stringent requirements for consent||More stringent requirements for consent|
|The right to be forgotten|
|The right to transfer data|
|Employment of a DP officer|
It’s important to remember that the regulations will apply to all consumers within the EU, and all businesses that sell or market to consumers within the EU – even if that business is based elsewhere.
How will the changes impact small businesses?
The new data protection rules are likely to have the most significant impact on larger companies – specifically those in the technology sector. However, there are still a few ways in which small businesses could be affected. The extent to which your business may be affected by the regulations will very much depend on the nature of your firm, as well as the extent to which and the way that you currently handle data.
Some small businesses may find that they need to make changes to the way that they collect data online in order to comply with the new data protection laws. The regulations will also see consumers given new rights – to be forgotten and to request that data is edited or deleted – which could have an impact on your business.
Let’s consider the following examples:
- If you’re a retailer with an online shop, then there’s a good chance you capture customer data on your website – for instance through online orders and email subscriptions. One change that you may have to make under the new regulations are ensuring that consent to use consumer information is clear and explicit.
- If you run a cafe or restaurant that collects email address for special offers – then you would have to agree to delete any information that you’ve gathered at the request of the customer. This could have an impact on your marketing efforts.
Any business that collect, retain or handle consumer data in any way should note the new laws, as they will be required to abide by them. Among the most affected will be businesses for whom data handling is a primary service – for instance marketing and advertising firms. Companies such as these – even those of a small or medium size – may be legally required to employ a dedicated data protection officer in order to comply with the regulations.
For many small businesses, it could be the case that external assistance is required in order to become fully compliant with the new laws. Enlisting the services of third party data protection experts could be valuable for small firms who may not have their own dedicated compliance teams. As a starting point, it’s useful to find out more about current laws. Companies such as Amberhawk, High Speed Training and IT Governance provide online and 1-day courses.
It’s essential that all small business owners take the time to familiarise themselves with the new regulations, identify which areas of their business may be affected, and take the necessary steps to ensure you are compliant before the deadline. Failure to comply can result in hefty fines, which could be potentially devastating to a small business’s bottom line.
When will the changes take effect?
Changes to data protection laws have not yet been fully approved, but they are expected to be formally passed in the spring of 2016. When the laws do come into effect, they will be automatically enforced across all EU member states.
Businesses have until December 2017 to be fully compliant, otherwise face penalty.
Two years might seem like ample time to make any necessary changes, but there is potentially a great deal of work that needs doing, and experts are warning that businesses may struggle to meet the deadline.
Failure to comply with the new data protection laws can result in fines totalling 4% of a business’s annual global turnover – a potentially devastating figure for any small businesses.
What actions do SME owners need to take?
As stated, the changes to data protection laws will affect businesses differently, depending on the business’s size and sector, as well as the extent to which the business currently uses consumer data, and the way in which that data is handled. Many small business owners will stand to benefit from seeking the advice of a data protection expert, in order to ensure that they are fully compliant with the new laws.
One of the most important steps that businesses can take to ensure they adhere to forthcoming regulations is to ensure that they presently comply with the current Data Protection Act 1998. Experts are advising that those who do not already comply with existing data laws may struggle to meet the requirements of the new regulations when it comes into force.
As well as ensuring current compliance, some additional steps that business owners could consider taking include:
- Providing data protection training for staff members
- Carry out a data protection audit
- Take steps to improve data security – for instance email encryptions
- Introduce a data breach policy
- Ensure any third parties you work with are fully compliant.
Remember, the key to compliance is ensuring you fully understand data protection laws, and what your business must do to adhere to them. You can read this press release issued by the European Council for more information about the changes to the law. You can also find a number of useful resources about data protection and SMEs here.
Disclaimer: This article has been produced purely for informational purposes. Make It Cheaper holds no responsibility for guaranteeing the accuracy of information provided. All business owners should seek specific legal advice for any queries surrounding data protection policies and laws.
All statistics sourced from: http://www.trendmicro.co.uk/campaigns/eu-data-regulation