Record keeping
This might sound like something of a record-keeping nightmare for smaller business, but the reverse could well be true. “For a smaller organisation, the ability to comply should actually be easier,” reckoned Guy Bunker, senior VP at security company Clearswift.
“Under GDPR, organisations of less than 250 employees will not have to employ or train a data-protection officer (DPO).” Essentially, they won’t have to change the structure of their organisation, whereas larger businesses probably will.
Smaller organisations will also benefit from no longer having to notify the ICO of data-processing
“The GDPR may sound like something of a recordkeeping nightmare for smaller businesses, but the reverse could well be true”
activities. The GDPR instead requires businesses to keep detailed records on their own processing activity.
“This includes info such as the reason for processing, the description of the categories of the data subjects and personal data, categories of recipients to whom personal data is disclosed, the time limits for erasure and a description of the security measures taken”, explained David Barker, technical director at cloud hosting company 4D.
In fact, companies with fewer than 250 employees can be exempted from these bookkeeping requirements – but only if your data processing isn’t “likely to result in a risk to the rights and freedoms of the subject”; doesn’t relate to sensitive personal data; and isn’t occasional in nature. If any of those do apply, then even the smallest business must comply with the full record-keeping requirement. We look forward to guidance from the ICO on how those criteria will be interpreted.
Getting it wrong
You can’t ignore the GDPR, and you can’t afford to get it wrong. If you do, your business may face a substantial fine. Indeed, some have questioned the scale of the penalties associated with non-compliance: “If a smaller business were hit with one of these fines,” noted Guy Bunker, “it would be potentially catastrophic.”
How catastrophic? Well, GDPR replaces the old warning system for SMEs with a two-tier fining regime. Tier 1 is for a “less serious” breach of the regulations, such as where an administrative failure in recordkeeping is found. Even this can be up to 2% of turnover, or €10m.
Tier 2 is for failures categorised as “serious”, such as a breach of basic data-protection principles – and the maximum penalty is doubled.
“This means that SMEs are exposed to the Tier-1 level of fines for noncompliance with record-keeping or procedure issues,” warned David Barker. However, there are ways to reduce your exposure. “Fines will be set by the ICO, and they do take into account an SME’s code of conduct and certifications such as ISO 27001. It may be worth small businesses perusing these to give them some protection from fines – as well as implementing best practice when it comes to information security.”
That’s the real point. It’s not about the fines or laws, but about protecting your clients’ data.