SMEs need to prepare now for 2018 data law changes

With the introduction of the General Data Protection Regulation (GDPR) in a year's time, business groups and the Government are urging UK small businesses to start preparing.

From 25 May 2018, all businesses that hold personal data will have to guarantee that their data procedures are fit for purpose and compliant with the new regulation.

Although the GDPR is an EU initiative, the UK Government has made it clear that the legislation will take effect in the UK after Brexit. Businesses that are found to be non-compliant risk fines of up to 4% of their turnover.

The British Chambers of Commerce (BCC) is urging its members to start make the necessary preparations to ensure they are ready for the regulation. From May 2018, all businesses that hold customer data will need to:

  • document the personal data they hold, noting where it came from and who it is shared with;
  • review current privacy notices;
  • check procedures that cover individual rights under the new rules, including how to delete data;
  • review how the company seeks, obtains and records consent from individuals;
  • put in place procedures in the event of a data breach;
  • decide whether a Data Protection Officer is needed and, if so, designate one.

David Riches, BCC executive director, warned businesses not to leave their preparations until the "eleventh hour". He said: "With twelve months to go, there are a number of procedures businesses should be reviewing to determine what changes may need to be introduced to be compliant. Businesses that are already vigilant about their data protection responsibilities won't be unduly burdened by the new legislation."

The GDPR, he said, reflects "modern working practices in the digital age" and will strengthen consumer trust in businesses. He added: "It will establish a single set of rules across Europe, which will make it simpler and cheaper for UK companies to do business across the continent, even after we leave the EU."

There is advice for businesses on the GDPR on the Information Commissioner's Office website.

  • Prompt, efficient and clear communication, helped provide a clear understanding of the issues and situation