Dr Michelle Goddard, Director of Policy & Standards at the Market Research Society (MRS), looks at how SMEs can prepare for next year’s EU Data Protection Regulation
The ink may not be dry on the pending EU Data Protection Regulation, with certain provisions still to be signed off, but changes are certainly afoot. The regulation will be the most significant change to data protection in the UK and EU since 1995, and will impact businesses of all sizes processing personal data. It’s vital that SMEs are ready.
There will be far tougher penalties for non-compliance: companies could be fined up to 5% of turnover or €100,000,000 for contraventions. Any data breach will need to be reported to the regulator and to affected data subjects, and many small businesses will need to appoint a Data Protection Officer.
There will be a two year transition period once the regulation is in place, but the most sensible decision is to ensure that you are compliant now.
Here are five steps you can take to get started:
Audit and strengthen existing policies and practices – some initial questions to ask yourself are:
- Do you have a data protection policy that adequately reflects activities across your business and is reviewed regularly?
- Have you notified the ICO about your data protection activities? Does it reflect what you do?
- Are adequate steps taken to secure both physical and digital data files?
- Are records of personal data kept only for as long as necessary? When and how are they destroyed?
- Do you really need the information that you hold on individuals? Are both you and them clear about what you are going to use it for?
- Are you sure the personal information that you hold is accurate and up to date?
- Is a senior officer responsible for data protection and do staff know who to report breaches to?
- Undertake a risk assessment and mitigate known risks: look at your use of security techniques such as encryption, details of written contracts with data processors and adequacy of transatlantic data transfer
- Train staff in your data protection policies and ensure they are putting them into practice
- Keep up to date and inform yourself through organisations like the MRS or ICO
- Make a visible commitment to ethical best practice by becoming an accredited Fair Data Organisation. Fair Data has been established by MRS to improve best practice in the use of personal data and to guide companies through the process of becoming compliant.