Blending tech & creativity for more focused, rewarding relationships
The small business owners guide to GDPR and how to be prepared
Yes, we know… May is nearly here and the GDPR deadline is closing in fast.
But as Corporal Jones said:
"Don't panic, Mr Mainwaring!"
So do you know what GDPR is? And are you prepared?
What is GDPR?
Well, GDPR (General Data Protection Regulation) is an EU regulation that's been designed to help safeguard data protection rights for individuals and sets out a list of rules on how companies handle data relating to individuals. This regulation will be enforceable from 25th May 2018.
Just to be clear, GDPR applies to all business sizes. If you have fewer than 250 employees, GDPR means you must hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, or where the data relates to criminal convictions and offences. Companies with more than 250 employees must keep more detailed records.
Twelve steps to ensure you’re GDPR compliant
To make sure you're compliant there are a number of simple steps to follow, as outlined by the Information Commissioner's Office (ICO):
1. Ensure key employees are informed
It's important that the key people in your company are aware the law is changing in relation to GDPR and of the upcoming deadline. Preparation is the key here, and areas need to be identified that could cause problems under GDPR and action taken to remedy them.
It's better to start now than leave it to the very last minute.
2. Review all personal data you hold
Personal data includes data such as:
- IP address
The definition of personal data is anything that allows an individual to be directly or indirectly identified. All personal data should be identified and, in particular, where it came from and who it was shared with.
GDPR requires records to be maintained of processing activities. This will also cover the GDPR accountability principle, which requires companies to be able to show how they comply with the data protection principles by having effective policies and procedures in place.
3. Prepare a privacy notice with regards to communication privacy
When personal data is collected, you will have to give individuals certain information such as your identity and how you intend to use their information. This is done through a privacy notice. Under GDPR you will need to give further information about the data you’ll be holding.
4. Know your individual rights
We mustn't forget that GDPR is in place to provide rights for individuals – including you! Below is a list of all individuals' rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
5. Respond to subject access requests within a month
In case you aren't already aware, the definition of a subject access request is:
When an individual has a right to be informed by a company whether it is processing personal data that relates to them.
The new rules now state that you won't be able to charge for complying with a subject access request. You now have one month to comply, rather than the current 40 days. It's possible to refuse or charge for excessive requests, however, you must inform the individual on what basis you are refusing and they have the right to complain to the supervisory authority and to a judicial remedy.
6. Identity the lawful basis for processing personal data
It's important to identify the lawful basis for processing personal data and make sure you document it and update your privacy notice to explain it. This is now relevant, as some individuals' rights will be modified depending on your lawful basis for processing their personal data. There must be a valid lawful basis to process personal data. Individuals will now have a stronger right to have their data deleted where you use consent as your lawful basis for processing personal data.
7. Ensure you have clear consent procedures
In practice, consent needs to be on a clearly recorded opt-in basis, with the right to withdraw consent at any time.
Genuine consent will help you grow your reputation. However, be mindful that consent must be freely given and individuals will now be able to consent by selecting to opt-in, rather than the current method of needing to opt-out, typically by means of a check box.
8. Keep children safe
There will be special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. You may need a parent or guardian's consent in order to process their personal data lawfully. The current age a child can give consent is 16, although this may be lowered to 13 in the UK at some point.
9. Notify the ICO of data breaches within 72 hours
Under GDPR there is a duty for all companies to report certain types of data breach to the ICO, and in some cases, individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. The individuals should also be notified if it results in a high risk to their rights and freedoms.
Ensure your processes enable you to notify the ICO of a data breach within 72 hours of becoming aware of it.
10. Liaise with the ICO regarding Data Protection by Design and Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is now mandatory in certain circumstances. This is when data processing is likely to result in high risk to individuals, such as new technology being deployed.
If you cannot address the risks, then the ICO should be consulted to seek its opinion and guidance.
11. Employ a Data Protection Officer
You may need a Data Protection Officer. This is based on what data you collect and how much you collect, rather than the size of your business. If your central purpose requires "regular and systematic monitoring of data subjects on a large scale" then you must appoint a Data Protection Officer.
You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life or sexual orientation data on a large scale.
The EU does state that 'a group may employ one Data Protection Officer between them, as long as the officer is readily available to each organisation'.
The Data Protection Officer is there to 'inform and advise' on data collection practises and monitor compliance, as well as acting as the point of contact with the Data Protection Authority, which in the UK is the Information Commissioner's Office (ICO).
12. Take a global view
If your company operates in more than one EU member state, you should determine your lead data protection supervisory authority and document it.
You should also map out where your company makes its most significant decisions about its processing activities.
The fines levied under GDPR can be very high. The highest to date has gone to TalkTalk - for a data breach which cost them £400,000.
Companies can face fines of up to 2% of their annual turnover or €10 million, whichever is higher, for infringing GDPR's code of practice.
GDPR in a nutshell
In summary, there are two key elements to GDPR. GDPR aims to:
Give individuals more control over how their personal data is used
- Give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market
This is all about good business practice and is nothing to fear (We told you, Mr Mainwaring!)
Data protection should be treated in the same way as health and safety, with companies protecting their data as much as they protect their employees.
Need help updating your business systems ready for GDPR?
If you'd appreciate some support updating your Customer Relationship Management (CRM) and Marketing Automation (MA) systems, please get in touch.
Comments for this post are now closed. Thanks to all who contributed.