Mention the GDPR to most small business owners and the response is likely to be one of three things – fear, irritation or ignorance.
There’s lots of misinformation doing the rounds about the GDPR. But rather than seeing it as a problem, the experts I spoke to urged companies to see the opportunities it presents, rather than just the difficulties that you need to overcome.
What is the GDPR?
‘The General Data Protection Regulations (GDPR) is a new set of European regulations that will overhaul our existing data protection laws,’ says David Bowen, Director at Bowen Eldridge Recruitment. The regulations effectively standardise rules across the EU, and the UK has committed to observing the GDPR even after Brexit. “It’s going to have far-reaching consequences for how businesses look after their personal data, and to enforce these new regulations, the GDPR will also allow for significant fines for companies who breach these new rules.”
So should companies be worried about this? After all, time is running out – on May 25 next year, the GDPR becomes law. “If you think it’s scary, you’re not alone,” says Bowen. “Many businesses are going to be trying to understand their requirements to protect themselves, their employees, and their customers. With this panic, there will be many late-in-the-day requests for new ways of working, or different terms and conditions.” Getting ahead on the GDPR means “you can reduce any negative impact, and reap the benefits of customers feeling more secure when they give their personal data to your company.”
For Ardi Kolah LL.M, Director, GDPR Transition Programme, Henley Business School, the key is to look at the positives the GDPR presents to companies. “The GDPR is a codification of good practice in relation to the processing of people’s data,” he says. “There’s not much in there that most responsible companies don’t know about as good practice they should be complying with anyway.” The starting point shouldn’t be to worry about fines and sanctions, Kolah says – “instead, it’s about creating digital trust when using people’s data.”
The GDPR is a ‘reboot’ for data protection and privacy. “There are two key drivers for why this is happening – transparency and accountability.” The motivation for introducing the law “was not about privacy alone. It was about creating a legal framework for the world’s largest single digital market. It was intended to give greater freedom of choice for consumers, because it would lead to lower barriers to entry and increase competition.”
But privacy has come to the forefront because of the sharp rise in data breaches over the last five years, including several high-profile cases. “This has clouded what the GDPR is really there for, which is not just to safeguard rights and freedoms, but also to deepen digital trust and enable companies to do more with people’s personal data – whether they are customers, clients, employees, or supporters of charities.” Instead of seeing the GDPR from merely a compliance point of view, Kolah advises, “see it as about enhancing your reputation.”
A step-by-step approach
So if you are a small accountancy firm, what should your approach to GDPR be?
- Establish how much personal data is being processed. In practice, you are ‘processing data’ if you are looking at it on a screen. ‘What’s the nature of that data?” says Kolah. “Is it sensitive? What percentage of it would be regarded as “special data” – for example, a family member who is a shareholder?” As accountants handle a lot of financial data, it’s important to be aware of the distinction between different kinds of data.
- How are you processing that data? Are you processing it legally? Kolah says, “If you have a contract with someone to be their accountant, that contract is your legal grounds.” What’s in that contract in relation to data privacy?
- Give your client a Data Privacy Notice. This outlines the client’s rights under the GDPR, and declares you will only be using their data for the purposes of the contract. “It has to be clear, concise, intelligible, separate from Terms & Conditions and the onus is on you to ensure the client has got it,” Kolah advises. “It’s useful to record it has been issued.”
- Proactively engage with your suppliers, and with employees if you have them, “to ensure you are aware of any changes,” says David Bowen. “Retrain if required, and review document management processes and software.”
- Have contingency planning in place for data breaches. Know what you will do in the event of something going wrong.
- Check the ICO small business kit to see if there are particular compliancy issues that affect you. For details, visit the ICO website.
- Assemble all this into a system “for the collection and retention of personal data, both internal and external,” says Bowen. For Payroll Bureau purposes, accountancy practices will be considered a ‘Data Processor’ so you need systems in place to formalise the relationship with the client. “If your practice is sufficiently sized, consider appointing a Data Controller.”
For all the fear that has been generated about the GDPR, it should come as a relief to know that it is not quite as scary as we might have been led to believe. “If you are transparent, accountable and able to justify what you’re doing, you should have no problem complying with the regulations,” Kolah says.
Finally, think about things from the point of view of the client. “The GDPR is about a risk-based approach to privacy,” says Kolah. “If you demonstrate that you’re not exploiting the client in any way, or doing anything inappropriate, you are likely to be fine.”
Mark Blayney Stuart is Business Journalist of the Year, Wales Media Awards 2017 and Former Head of Research at the Chartered Institute of Marketing.