Blue Llama recently put together the ThinkGDPR.org website for the Data Protection offices of the Channel Islands. The website aims to build awareness of the impending changes to data privacy laws that will come into effect in May 2018. Titled the EU General Data Protection Regulation, or GDPR, its purpose is a simple one: to give citizens greater control over how businesses can use their personal information. While the law is an EU one, Jersey and Guernsey have promised to adopt it locally too.
As altruistic as this sounds, its impact on SMEs could be chaotic. Set to completely overhaul the laws regarding the handling of personal data, the effects of its introduction are something that all small-to-medium-sized ventures need to prepare themselves for – starting now.
This is because it will not simply be a case of a slap on the wrist if you get it wrong. Businesses that act in contravention of the GDPR are likely to find themselves facing massive fines for non-compliance, amounting to up to 20 million euros, or four percent of a company’s annual global turnover.
For those who choose to read the small print, you may find wording that seems to imply your company is exempt, but beware of making incorrect assumptions. Although the regulation may seem not to apply to businesses with under 250 employees, any company that stores, collects, or uses data must still abide by it should this data fall into certain categories, such as information that relates to genetics and biometrics, health, racial or ethnic origin, religious beliefs, political affiliations, or sexual orientation.
This change to the law will be implemented irrespective of Brexit, with the intention of adopting mirrored legislation in the UK to give its effects the proper degree of permanence.
How the GDPR will affect businesses in Jersey
The introduction of the GDPR will place three new responsibilities upon UK businesses. These are:
1: To appoint a designated Data Protection Officer
This person will be required to have an expert level of understanding regarding the organisation’s responsibilities under the GDPR so that they can make certain the business is complying with them.
2: To report data losses to the OIC within 72 hours
The GDPR will introduce strict laws regulating how the loss or theft of data is handled by companies. Primarily, it will make it so that businesses must report such to the OIC within 72 hours or less.
3: To gain consent
The most significant changes made have centred around consent, which must now be explicitly given before information can be used. This law will be applied retroactively so that data previously collected cannot be utilised unless it meets these standards. Privacy policies will also have to be updated to make individuals aware of their new rights.
How businesses in Jersey can prepare
It may sound like these changes will be incredibly difficult to implement, but the truth is that you should be – and probably are – doing most of what you need to already in order to ensure that solid data privacy and protection are achieved.
To help you out where you might be falling a little short, here are a few steps we suggest you take in order to help you remain legally compliant…
1: Appoint a Data Protection Officer
Although it may sound like this means you must either train someone for the role or employ an expert, the individual holding this position needn’t be a full-time employee, which means that it’s perfectly possible for you to outsource the position in order to keep costs to a minimum.
As you now have an obligation to make individuals aware of the rights given to them by the GDPR, take a look at your privacy policies and T&Cs and update these where appropriate to ensure proper compliance.
3: Plan what will happen in the event of a breach
You should attempt to put a plan in place outlining what steps will be taken in the event of a breach. This should include what data within your organisation qualifies as ‘personal’, who has access to it, where it’s kept, and who a breach should be reported to.
4: Improve your cybersecurity
Although we would always recommend having such a plan in place, we would urge you to be proactive in avoiding breaches to begin with by improving your cybersecurity. Companies such as Blue Llama can assist you with this, performing an in-depth audit to help make your business more secure than ever before.
5: Review existing data and consent
Lastly, don’t forget to check that any existing data collected is still okay to use when viewed through the lens of these new laws. If it isn’t, make sure that you do not continue to utilise it for any purpose requiring consent or else you may find yourself liable to prosecution.
For further information on the effect of the GDPR in Jersey and how it might impact your business, feel free to get in touch with us today to see how we can help you.