How EU data protection changes will effect UK SMEs
The EU's new European Data Protection Regulation is designed to harmonise data protection laws across member states, and while this aims to make things simpler in the long term, it has thrown up some more pressing issues for the UK's SMEs.
If you are an SME owner, you will be surprised at how quickly the two year 'transition period' that precedes implementation of the new regulation flies by, so it might be worth putting a strategy in place now to avoid falling foul of the changes.
What classifies as personal data is now a huge consideration. If your company is holding information on the location of internet connections, reference numbers or other data that is not directly linked to other personal data on a specific individual, this information is not protected by the current laws. All that will change with the introduction of the new regulation, which classes such information as "personal data", whether or not it is combined with individual-specific data such as email addresses.
The result of this change means that more SMEs than ever are likely to be affected by data protection laws - including those who previously held information that were not considered personal data. With fines of up to 4% of a company's annual global revenue slated for those firms that fail to comply, the time to undertake an extensive review of the data your company holds and how you use it may be now.
UK data protection laws have, in the main, been fairly consistent over the last two decades or so, which means for many companies, the changes could lead to a new way of operating. Given that UK law firms were investigated 187 times for data protection breaches in 2014, according to a study by encryption firm Egress, we could be ushering in a new way of data acquisition and harvesting, particularly in the legal sector.
Users currently have the right to see which of their data is in the possession of 'data controllers', and under the new regulation, it is likely that the time controllers are given to produce such data is reduced. SMEs can also face demands from users that ask their data to be removed or erased, which is another consideration brought about by the new changes. Getting processes in place to administer these requests are vital, as they could involve more complex procedures such as syncing across multiple systems.
In the internet age, the power of data and how it can be utilised for business purposes has been universally embraced, but EU data protection changes mark a turning point in the amount of time ring fenced by SMEs to look carefully at their data use. Aside from the obvious embarrassment and PR own goal that would be the result of a data protection breach, the scale of the fines for a breach is such that an investment in making sure IT security infrastructure complies with the could end up saving you thousands, and in some cases millions of pounds.
After all, it is not just the big corporations such as Google and Facebook that stand to take a hit if they don't fall into line - 4% is a large chuck of any business's revenue.