Are you too small for GDPR?
The short answer is...NO. It doesn't matter how small your business is, from one person bands to SME's and above, the legal requirements of GDPR affects anyone who, as part of their day to day activities record, store or use personal data. GDPR requires that you secure that data, make sure it is accurate, make sure it is available to the person it relates to, ensure that you only hold the minimum amount of data you need and make sure old data is destroyed correctly after a set period of time or if requested to do so by the individual it relates to.
I am sure you have read a lot about GDPR also known as Data Protection Law (2018) and soon to be renamed GDPR (UK). It seems complex and bureaucratic, time-consuming to administer and expensive to implement. However, the possible consequences can be severe. Let me give you a simple, quick example:
A UK based garage is run by the owner and he has two technicians. The service cars are registered for MOT exams and some minor bodywork repairs. They have outsourced the bookkeeping but the owner does the Tax, PAYE and VAT.
This means that they have records of clients, suppliers & staff. These details include names, addresses, email details, contact details, bank details. All of this relates to individuals.
In addition, they have a small website where people can see the services offered and book appointments where they leave names, telephone numbers and phone details. This too relates to individuals. More than this, the website automatically collects IP addresses, MAC Addresses and the Operating System and version of the device they used to log onto the website. This too is considered to be individuals information also known as Personal Identifiable Information or PII.
Due to one of many reasons which will be discussed in a future blog, some of this data is hacked and is used to scam people out of their money. The garage is reported to the Information Commissioners Office or ICO in the UK. They contact the garage who admit that data was taken. This results in a fine ( the amount of the fine depends on several factors including the company turnover, security features in place if the garage admitted to the breach before the data was used, what steps they took after they knew the data was leaked..etc
Best case scenario is that the fine could hurt the business, possible loss of staff and possible loss of clients. Worse case it could close the business.
It doesn't have to be this way. GDPR is not complex and there are steps every business can take to secure the data and become compliant with the law. DP&P Advisers offer a free, no-obligation initial consultation to see how best we can help you. Why not book one now?