Vicki Owen For The Mail On Sunday
Firms that keep or process customers’ personal information are being urged to act now to avoid steep fines under tough new EU data laws.
With nine months to go until the major shake-up of information governance laws, Dr Adam Marshall, director-general of the British Chambers of Commerce, which has warned smaller firms not to leave preparations ‘until the 11th hour’, said: ‘This is a big change to the way that companies have to handle data and not knowing that the change is coming is not an excuse.
‘We all need to get ready for this and make sure our data handling procedures are compliant.’
Privacy concerns: The Data Protection Bill announced in the Queen’s Speech last month will implement General Data Protection Regulation into UK law from May 25
The General Data Protection Regulation, which includes the ‘right to be forgotten’, comes into effect on May 25.
It means businesses could be liable for fines of up to €20 million (£18.4 million) or four per cent of their turnover if they breach the rules.
The Data Protection Bill announced in the Queen’s Speech last month will implement GDPR into UK law.
Marshall said: ‘This [preparation] is crucial, not just for trading at home, but in future for trading with EU countries.
The flows of data between us and the EU are very big and we wouldn’t want to see any UK company losing access to customers or markets in Europe because it wasn’t following the correct data handling procedures.’
The BCC has recommended businesses review what personal data their firm holds, where it came from and who it is shared with. Firms should also review how they seek, obtain and record consent from individuals.
He said: ‘This isn’t just about spam, this is about data that one might hold about customers and how it’s protected on your servers, for example.
Any business with a database should be thinking about it. Businesses that bill their customers should think about how they handle that billing information to make sure it’s secure, for example.
‘There is not and should not be any place to hide for a business that is wilfully trying to get around the law, because that undercuts other firms who are doing everything in their power to comply with it.’
Mike Cherry, chairman of the Federation of Small Businesses, said: ‘There is a clear danger that companies could inadvertently face a fine.’
The FSB said the danger comes from the lack of awareness some small businesses have regarding the changes. It warned some do not know that the changes will relate to their business and will not be making preparations needed to comply with the new regulations.
It said, giving the example of a gardening start-up that wanted to advertise services locally via email, the changes around consent would have a huge impact on a small business without a human resources or data protection officer.
The business will not be able to email people unless they have given consent and if a person asks for their personal details to be deleted, this must be done in 72 hours.
The FSB said fining should be a ‘last resort’.
Meanwhile, bulk SMS provider Voodoo SMS surveyed consumers and businesses and found 75 per cent of respondents would not opt in to receiving marketing communications from online retailers.
Managing director Gareth Davies said: ‘Businesses’ customer contacts are unlikely to opt in to future marketing, a prerequisite of GDPR, and smaller firms are unaware of what to do to prepare for changes.
Our concern is especially for small businesses without the expertise, resources and awareness.
‘There’s no grace period, no ‘we’ll be relaxed for the first couple of months’. We’ve got customers such as sports nutrition maker Myprotein doing massive turnover with hundreds of thousands of customers, and they started as one-man bands. They will all be affected and need to change their website, their privacy policy and their data retention policies.’
The Information Commissioner’s Office has a checklist for firms on its website.
