SMEs: act now to prepare for new data protection law

Garreth Cameron, of the Information Commissioner’s Office (ICO), highlights the importance of preparing for GDPR.

There’s a big change coming to data protection law next year – and person using mobile phoneall businesses need to be preparing for it, if they’re going to be ready in time.

New legislation, called the General Data Protection Regulation (GDPR), will come into force in May 2018, both in the UK and across the EU, bringing a more 21st-century approach to the processing of personal data.

This will mean more protections for consumers, and more privacy considerations for organisations.

So, what do businesses need to do?

The new legislation will require businesses to look carefully at the way they do things. GDPR places more obligations on companies to be accountable for their use of personal data. Specific new obligations include duties about reporting data breaches, and transferring data across borders.

Consumers will have more rights in certain areas, such as being better informed about what businesses are doing with their data, and having greater access and control over their data. For example, having the right to request that data about them is erased.

This is more than just legislative box-ticking – businesses must get this right. GDPR means bigger fines for those organisations that get it wrong; failure to comply can cost businesses both financially and reputationally.

But getting it right can really benefit a business. Good information handling makes good business sense, and some will thrive in this changing environment. They’ll be the ones that look at the handling of personal information with a mindset that appreciates what consumers want and expect.

This means moving away from looking at data protection as a compliance issue, to making a commitment to managing data sensitively and ethically, because it’s just as much a part of good business practice as honest pricing or good customer service.

We’re pleased that the government recognises the importance of data protection and its central role in technological innovation and trust in the digital economy. We look forward to offering our view on how the UK can continue to ensure its strength in this area.

Steering your business through this important change

Now is the time for businesses to act, and the ICO is here to help you through this important change.

There are pages dedicated to GDPR on the ICO website, which include:

  • 12 steps: if this is all new to you, these are the steps you need to to take to get started.
  • Overview of the GDPR: a living document that will be added to as more guidance is produced by the ICO and Europe.
  • Updated data protection toolkit for SMEs: compare what you are currently doing around data protection with what you should be doing under the new regulation.

Some of GDPR will have more of an impact on some organisations than others. I’d encourage your business to map out which sections of the new legislation will have the most impact on your business model, and plan how you’re going to get ready.

About the author

Garreth Cameron is group manager for private sector engagement at the Information Commissioner’s Office (ICO). 

The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

To stay updated on new guidance, sign up to the ICO e-newsletter. Businesses can also call the ICO helpline on 0303 123 1113, or use the live chat service.