If you receive personal data from the EU for business use, you need to act now to ensure you are prepared for data protection requirements that may come into force on January 1.
Whether you receive details for payroll admin, or customers’ email addresses, you’ll find a host of helpful tools and information on the ICO (Information Commissioner’s Office) website.
“We realise many companies won’t know data protection law in detail, and it might seem a bit daunting,” says the ICO’s Steve Wood. “This is why we’ve produced guidance aimed at SMEs.
“Businesses that receive personal data from the EU may need to make changes by the end of the year if they want to keep receiving that information lawfully. Therefore it’s important to start preparing now.”
The best way to prepare is to ensure you comply with the General Data Protection Regulation. “GDPR asks businesses to be accountable for the personal data they hold and process,” explains Steve.
“Knowing what information you have, and operating effective storage systems for retaining or deleting personal data, make good business sense, and will show customers you’re taking care of their data. Further changes may be needed depending on what is agreed between the UK and the EU.”
John Whittingdale, the UK Government’s Minister of State for Media and Data, is also encouraging businesses to start preparing.
“It is vital for businesses receiving personal data from the European Union and the European Economic Area to get ready now to make sure they can keep it flowing lawfully from 1 January. I encourage firms to follow the Information Commissioner’s Office online guidance which makes it simple and easy for small and medium-sized businesses and organisations in every sector to get on the front foot.”
One business owner who has already made plans is Alex Stewart (above), founder of eco-conscious travel goods company OneNine5.
“Germany is our second biggest market outside the UK, and we hold data from EU countries when we ship orders and when we ask people to sign up to our newsletters,” says Alex.
“So we’ll take an extra step to make sure we’re EU compliant – we don’t want to fall short.” Steve agrees it’s wise for SMEs like OneNine5 to take action now.
“You may need to get in touch with your partner in the EU to agree on additional steps to protect personal data,” he says.
“Again, the ICO’s guidance talks through measures you may need to take, such as putting a standard contractual clause (SCC) in place.”
An SCC is a set of terms and conditions that the sender and receiver of personal data sign up to, which offers protection under GDPR for both parties. Find more at ico.org.uk.
Don’t leave it too late. You could be prevented from receiving personal data that is essential for the running of your business.
Details of the key actions that businesses and individuals need to take before the end of the transition period can be found on gov.uk/transition.