You’ve probably heard GDPR being mentioned a lot over the past couple of months and maybe wondered what it’s all about. Well fear not my friend, we’re here to explain the basics…

What is GDPR?

GDPR stands for General Data Protection Regulation and refers to a new set of rules and regulations for data protection. The regulation comes from the European Union and all EU countries will be subject to it, regardless of the UK’s exit from the EU. Any business based outside the EU which holds or processes personal data relating to EU nationals will also be subject to the legislation. The GDPR will come into effect in the UK on 25th May 2018.

The idea behind the GDPR is to bring all EU nations up to the same high-standard of data protection and to give individuals more control over how their personal data is being used by organisations.

Why does GDPR matter for small businesses?

The GDPR applies to any business of any size collecting, storing, processing or sharing of personal data. As a small business, it’s highly likely that you do some, if not all of the above. For example, if you’re an online retail business and you collect a person’s name, address, and card details to be able to deliver the product and take payment, that would be collecting, storing and processing personal data. Even if you don’t have customers in the more traditional sense and instead deliver services to another business, personal data will still likely be exchanged in the form of invoices etc. Even things like IP addresses or other online identifiers which are often collected by websites count as personal data.

If personal data is mishandled or a serious breach of data security occurs, it could potentially have significant consequences for a business. Under the GDPR, the UK’s regulatory authority for data protection (the Information Commissioner’s Office) has significant ‘corrective powers’ which means they can issue fines of up to 20 million euros or 4% of a company’s global turnover (whichever is higher) in serious breaches of data security. So, it’s important to make sure that as a small business, you’re taking data protection seriously.

What are the key changes being made by the GDPR?

The UK currently adheres to the Data Protection Act 1998. As the title suggests, this legislation was written in 1998 just as mobile phones, computers, and the Internet were becoming central to day-to-day life, so understandably it’s a bit outdated and doesn’t take into account the risks which accompany an online world.

As mentioned before, the GDPR aims to give individuals more control over their own personal data. It tightens restrictions around how businesses can market to individuals, particularly through mediums such as e-newsletters and cold calls. Individuals can also request to see exactly what data an organisation holds on them and how it is being processed.

It’s important that organisations understand the GDPR for themselves and take steps to ensure they are compliant in advance of the 25th May 2018 deadline. Remember that data protection should be an on-going commitment rather than a mad dash to get it done by the deadline.

The ICO have put together a wealth of resources relating to GDPR, aimed specifically at small organisations https://ico.org.uk/for-organisations/business/

FutureLearn also offers a range of courses relating to GDPR – Just follow the link below and type ‘GDPR’ into the search bar and all of the relevant courses will appear: futurelearn.com