GDPR: 12 important things your  business needs to know

The General Data Protection Regulation (GDPR) has been called the biggest ever shake-up relating to how personal data about individuals can be stored.Its implications are massive and almost certainly not fully comprehended by the majority of businesses, despite the fact the legislation is effective as of 25 May 2018.
The GDPR goes far beyond existing data protection measures and affects business of all sizes – from sole traders up to the biggest corporations. Research undertaken by Sage shows that 57% of UK businesses lack awareness surrounding GDPR, while 60% don’t understand what GDPR means for their business.Unsurprisingly, businesses have many questions about GDPR – ranging from how it should be implemented to how it will impact their day-to-day work.Here are the answers to some frequently asked questions. Got any other questions? Let us know in the comments below for a future update of this piece.

1. Does my business have to become “GDPR certified”?

No. The wording of the GDPR doesn’t specify or mandate a particular certification system but it does encourage voluntary certification via industry bodies or organisations compliant with EN-ISO/IEC 17065/2012 and that have been authorised by the relevant supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK.

While becoming GDPR-certified is encouraged to provide guarantees relating to technical and organisation security measures, among other things, doing so is of particular importance for third-parties that process data on behalf of others. To this end, the Cloud Select Industry Group (C-SIG) now has a Code of Conduct that is approved by the ICO and the EU’s Article 29 Working Party.

2. What’s the deadline for the GDPR?

The GDPR comes into effect on 25 May 2018. There’s no grace period or overlap for your business when this happens, so you must ensure your business is ready by then.

3. Will my business have to undergo GDPR audits or inspections?

There’s no requirement within the GDPR for regular governmental audits or inspections but supervisory authorities do have the right to carry out audits as part of their investigatory powers. However, this isn’t to say self-imposed audits or inspections aren’t a very good idea or even a de facto requirement for GDPR compliance.For third-parties providing data processing services to others, the situation is a little more complicated. They will have to make available to the company employing them all information necessary to demonstrate compliance with their obligations under the GDPR. They must also allow for and contribute to audits, including inspections, that the business employing them mandates.

However, the GDPR does introduce significant and onerous new requirements for record keeping for all businesses. It’s not enough to merely comply with the GDPR. Any business must be able to prove it’s doing so.Note that there’s a possibility governments might implement formal, regular audit processes when they implement the GDPR within national laws.

4. I run a very small business comprising just myself. Does the GDPR affect me?

Yes. The GDPR affects anybody or anything engaged in an economic activity and that processes personal data – and even organisations such as partnerships, charities or clubs/societies. It doesn’t matter if this entity is legally recognised or not.

5. Are products from Sage ready for the GDPR?

Sage is working to ensure all its active products are GDPR-ready. In line with the UK’s Cyber-Essentials guidance, and similar government recommendations in other countries, Sage recommends users always ensure they are running the latest versions of software.Specifically, to assist organisations to meet their GDPR obligations, Sage may continue to provide additional enhancements and so customers are advised to periodically review the latest available version and install updates as appropriate. Customers running cloud products, such as those within the Sage Business Cloud, will benefit from always running the latest versions of software.

6. I’m already compliant with the Data Protection Act 1997. Do I need to do anything?

Probably. The GDPR supersedes all existing government laws regarding data protection for EU Member States. The requirements of the GDPR go significantly beyond the Data Protection Act 1998 so the possibility of a business finding itself already compliant is very unlikely.

7. In a nutshell, how does the GDPR differ from existing data protection legislation?

To be blunt the differences are so extensive that it’s impossible to sum-up in a quick answer. General Data Protection Regulation: The Sage Quick Start Guide for Businesses provides a concise and readable overview.