As a platform for businesses to easily manage their GDPR compliance and cyber security, Naq Cyber helps SMEs across the UK understand new GDPR legislation or law changes that can impact their business.
The Chancellor, Rishi Sunak, commented last week on a potential change to GDPR compliance which could impact all businesses and how they handle data, adding to the confusion for business owners. Concerningly 80% of all small businesses in the UK aren’t aware of compliance issues or managing their data correctly and are vulnerable to huge GDPR fines.
Nadia Kadhim, CEO of Naq Cyber and GDPR Lawyer said, “Rishi Sunak’s recent comments during the launch event for Treasury Connect have been used in the media to suggest that the UK is going to abandon GDPR entirely, which is just adding to the confusion for small business owners. However, this isn’t true as the UK Government simply investigating whether they want to come up with their own version of the GDPR and how this reform would look.
The intention of the UK government is therefore not to abandon GDPR completely, but rather rewrite some of the data protection principles and articles from the UK GDPR to empower businesses to innovate, whilst continuing to protect citizen’s data. Since the introduction of the adequacy decisions by the UK for the EU and vice versa, data has been allowed to flow freely between the two geographies. Leaving the EU has made it easier, in some ways, for the UK to do business with countries outside of the EU. But the UK government still feels that it would benefit the economy and the UK as a whole to introduce some changes to the stringent data protection framework currently in place.”
The Rt Hon Oliver Dowden CBE MP commented on this, “Now that we have left the EU, we have the freedom to create a bold new data regime: one that unleashes data’s power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection.”
Kadhim added, “Data has been widely recognized to be the driving force of the modern economy and GDPR has caused some barriers to businesses that, with every good intention regarding people’s data, want to seamlessly trade and do business internationally. A reform, therefore, would be welcomed by most private businesses in the UK. The question is how the UK intends to strike a balance between innovation that makes use of emerging technologies and the protection of people, which is the main topic of conversation.”
The proposed reform tackles a range of “issues” with the current UK GDPR; from the freedom research institutions have to re-use personal data, to the mandate of the ICO to take action against non-compliance. The reform can be expected to take years; a new law, especially one as comprehensive and far-reaching as the one we’re discussing here (where people’s privacy is the main concern), does not come about quickly.
Until a new law has been passed, all rules from the UK GDPR apply, which means that:
- All personal data, including that of an employee (next to customer’s data, supplier’s data, etc. etc.) needs to be protected by technical measures and companies that process personal data in some way need to have all necessary policies in order to comply with the UK GDPR.
- Companies that have employees need to always abide by the UK GDPR in addition to the applicable HR laws.
- All staff need to be regularly trained on handling personal data and how to deal with incidents regarding data.
- Companies may be required to carry out criminal background checks on applicants. Criminal background checks are not always allowed; under the GDPR there needs to be a lawful basis for carrying out a criminal record check.
- There are special retention periods for HR related data. These do not come from the GDPR but come from different UK laws and sometimes have to be determined by companies themselves.
- Some companies are required to register at the ICO and appoint a data protection officer. Certain companies are further required to appoint a European representative, carry out a data protection impact assessment and consult the ICO prior to the start of a specific processing activity if the processing entails high risk for an individual. Failure to do so can result in hefty fines.
- Consequences for non-compliance can lead to fines up to £17.5 million, or 4% of total worldwide annual turnover. A lot of companies think this won’t ever happen to them, but the ICO has been starting to give out smaller fines to smaller companies (<100 employees) which average at £15,000.
It is therefore critical that all businesses start to take GDPR and cyber security seriously and consider investing in ongoing protection and advice in the same way they would hire an accountant to manage their accounts.