iQoncept - Fotolia
Compliance with data protection laws is a challenge for organisations of any size. But small to medium-sized enterprises (SMEs) have to tackle compliance with limited budgets and a small IT team. And it is easy to be intimidated by talk of harsh penalties under regulations such as the EU’s General Data Protection Regulation (GDPR).
Regulators recognise this. Since the GDPR came into force in May 2018, regulators have acted to improve the advice and information available to SMEs.
The UK Information Commissioner’s Office (ICO) has a hub devoted to data protection as well as checklists that cover key compliance points for SMEs. The introduction of the GDPR has done much to raise awareness of data protection – and compliance more generally.
Here are the main regulations that UK businesses need to consider.
Data Protection Act
The Data Protection Act (DPA) is the starting point for all UK data protection rules. In fact, it is the DPA that makes the EU’s GDPR (see below) part of UK law. As such, the DPA was updated in 2018 when the GDPR came into force.
In EU law, member states – and for now, that includes the UK – have some freedom (or derogation) to amend the GDPR when it is applied to local law.
Examples include the age at which a child can give consent for their data to be processed – 13 under the DPA, but 16 under the GDPR – and making some infringements of GDPR rules a criminal rather than a civil matter in the UK.
It is a common misconception that smaller companies are exempt from the Data Protection Act. They are not. “Some SMEs certainly assume the law doesn’t apply to them, but only to big business,” says Bryan Betts, analyst at Freeform Dynamics.
But any organisation that stores or processes personal data needs to deal with the DPA, whether that data is stored locally on a simple server or hard drive, in a cloud service, or on an employee’s laptop.
General Data Protection Regulation
The GDPR brings the EU’s rules for data protection and compliance up to date. The regulation works as a set of principles and does not tell organisations how to be compliant at a technical level. It is down to SMEs to find technical solutions, and to demonstrate that they are in keeping with GDPR principles and obligations.
The GDPR introduces some significant new rights for consumers, including the right to be forgotten, and some specific requirements for businesses, such as compulsory breach disclosure and, of course, much higher fines (up to 4% of global turnover). Research by IDC has found that the right to data portability set out in the GDPR has caused the most pain for SMEs.
Although the GDPR is not prescriptive, it does set out measures that businesses can take to protect data. In turn, these measures will demonstrate compliance. Encrypting data, for example, is a step that all SMEs can take and will help to show they have tried to comply if there is a breach or data loss.
In the UK, the ICO has said it will take attempts at compliance into account, especially for smaller organisations. The largest fines are likely to fall on organisations that have deliberately or recklessly ignored data protection and security measures, or not made any attempt to give consumers more control over their data.
Keeping personal data records on unencrypted media, even if kept under lock and key, or keeping it in the clear in the cloud, will not satisfy the regulators. Ensuring data is encrypted in transit and at rest and that only specified and trained staff can handle the files will show that a firm has tried to keep up with the law.
As with the UK’s DPA, other EU countries also have derogations. So any SME trading elsewhere in the EU needs to research local laws and ensure its data storage processes do not fall foul of those countries’ provisions.
The PCI-DSS standard covers all organisations that handle payment card transactions. Banks will suspend card payments for companies that fail to follow the standards. And if a business suffers a data breach, it must be able to show it has followed the PCI standard for payment information.
PCI-DSS is far more specific than principle-based regulations, such as the GDPR. As such, it is a good starting point for smaller businesses looking to improve their data storage compliance, says Mathieu Gorge of Vigitrust.
“PCI has some very good guidance on what you can and cannot store when it comes to credit card data,” he says. “PCI has very prescriptive controls, but that allows you to align with the GDPR and the Data Protection Act.”
HIPAA, Privacy and Electronic Communications Regulations and industry-specific compliance
Firms in specific industries will need to comply with additional regulations. For healthcare organisations, the US-based HIPAA (Health Insurance Portability and Accountability Act) is a good proxy for the safe handling of patient or customer data, although it is not a substitute for following the DPA and other UK laws.
Suppliers into the NHS will need to comply with that organisation’s data protection guidance. The NHS produces its own data protection toolkit for internal NHS use, while the ICO has guidance on health and social care data.
The Privacy and Electronic Communications Regulations (PECR) may be less focused on data storage, but cover issues such as the use of data for marketing, securing communications services, and holding billing and location information for communications.
Read more on compliance
- New GDPR service aims to ease compliance challenges. Claim software platform will address a pressing need for an effective and efficient means of complying with data protection rules.
- A cloud compliance checklist for the GDPR age. Cloud can make things simpler, but when it comes to compliance things can get complex. Here is a look at the essential elements of a cloud compliance strategy.
The ICO has its own guidance section on the PECR. “The PECR has not received the same attention as the GDPR, but for some organisations it might be more important,” says Bryan Betts, analyst at Freeform Dynamics.
Firms will also need to address any regulations imposed on them by customers and, more rarely, suppliers. These can range from rules around the handling of classified government data, to protecting commercially confidential information.
Businesses such as financial advisers, law firms and PR consultants need to be mindful of confidential data, and ensure that files are stored – and shared – securely.
The Law Society, for example, has prepared some detailed guidance for its members on the main compliance and security risks they face.
A further challenge for small organisations is that laws and regulations are not static. Businesses also need to plan for legal research or regulatory investigations.
A solid data classification process will help SMEs to stay compliant. This ensures the business knows what data it holds, and where. This, in turn, helps to align storage and data protection to the value of the information, such as low-cost public cloud for non-sensitive data, and encrypted onsite storage for sensitive and valuable files.
“It is hard for small businesses,” says Betts. “But once you get to being a mid-sized enterprise, data governance and data classification is something you should be doing anyway.”