GDPR Now In Force
The GDPR (General Data Protection Regulation) is now in force. Touted as the biggest reform of data privacy in a generation, it has and will continue to impact almost every business in the UK. If you run a small business and haven't done your GDPR homework you're probably not alone. But don't panic: keep calm and carry on with making your business GDPR friendly.
We've written several blog articles, over the past few months, about GDPR for small businesses. This one is for those of you with small businesses who have not yet gone through the process of making sure you comply with the GDPR requirements. According to the Mike Cherry, National Chairman of the Federation of Small Businesses, many are still unprepared.
What's GDPR all about?
Data protection legislation is not new. The GDPR is an evolutionary step in the laws that regulate how personal data is used and protected. Personal data is, in some ways, the new digitial currency: it's hugely valuable to both you and the businesses you deal with. If you, as a business owner, understand and respect the importance of your customers' data then you shouldn't find it difficult to meet your legal obligations.
The GDPR replaces the Data Protection Act, which has many similarities to the GDPR. So, if you understood what was required of you under the DPA, then you may be not far off being GDPR compliant. If, however, you've never given much thought to how and why you use and protect personal data then you've probably got a fair amount of work to do.
What do I have to do?
The ICO has produced a wealth of information for businesses to help them comply with GDPR. A visit to the ICO website is well worthwhile. The fine details of what you need to do depends very much on how much personal data you collect and what you do with it. But to get you started, here's a 'big picture' overview of what you are likely to need to do:
Understand and document your use of personal data
You need to start at the very beginning, by documenting what personal data you collect, why you collect it, what you use it for, how long you keep it for.
Under the GDPR, the definition of 'personal data' has been broadened to include additional forms of data including: cookies, IP addresses, bio metric data and images. For many small, online businesses the main type of personal data will be your customer's contact details (name, address, email, telephone). You are required to keep records of your use of personal data. If you've never produced such a document before then it might be time consuming - but also quite illuminating since you will need to think about your business processes, workflow and website in order to fully understand your use of personal data.
As you start to document your business processes you can also take the opportunity to ask yourself "does my business really need this data?". One of the principles of data protection law is that you should not process more personal data than you actually need, nor keep it for longer than is strictly necessary. If you find that you no longer need, or can't justify, certain items of data then now is a great time to delete any excess data and don't collect it in the future.
Website cookies are now classed as personal data so you will also need to understand, and document, what cookies your website uses. You may have to ask your website developer for assistance.
The document you produce should record your use of personal data in quite a detailed way. You can use the template spreadsheet for data controllers provided by the ICO as a starting point. Once completed, you should keep this document safe since it will be helpful to demonstrate your compliance with the law. You also need to review it from time to time. Nothing about GDPR compliance is a 'one off': everything has to be kept up-to-date and accurate.
Once you understand your use of personal data then you can tell the world (or, at least, your customers). In fact, you are required by the GDPR to tell data subjects what personal data you collect, why you collect it, how you use it, who you share it with and more. And you have to express this information clearly and concisely. When you ask a data subject (client, customers, member etc) to provide personal data you must tell them, there and then, why you need it and what you'll use it for.
- Who you are - including contact details and your identity (business name, registered number, data controller number)
- What personal data you process, what you do with it, why you need it and the lawful bases for your processing
- What 3rd parties you share personal data with
- Any transfers of personal data to other countries
- Rights of the data subject (including the right to withdraw consent)
- The right of the data subject to lodge a complaint with the ICO.
The above last is not exhaustive but covers the main areas likely to apply to many small businesses.
If your capture person data on paper forms then you may also have to update your forms to provide information about your use of personal data. If you are asking for consent then you should double-check that the way you ask for, record and handle consent is in line with the higher standards set by the GDPR.
The term 'lawful basis' simply means the legal reason that makes it acceptable for you to process personal data in a particular way. The GDPR sets out 6 lawful bases that you can use. It sometimes takes a bit of head scratching to figure out which apply, but you need to be quite clear about what bases you are relying on. You can't be vague nor can you (lawfully) change your mind after you've started processing data. One of our earlier blog articles talked about privacy policies and lawful bases.
Make sure your business processes support your GDPR obligations
The GDPR gives data subject certain statutory rights over their personal data. Some of these rights already existed under the previous Data Protect Act, but some are new. These rights that are likely to cause the most consternation to small businesses are:
- The right to be informed - you need to tell data subjects what personal data you collect, why and how you collect it (as discussed above)
- The right to access - data subjects have a right to ask if you hold personal data about and, if so, they have a right to access that data and to know how it's used. This right existed under the DPA but the time period to respond to such requests has been reduced from x to x under the GDPR.
- The right to rectification - data subjects have a right to have their personal data updated if it is not correct or completed it if it's incomplete
- The right to erasure (the "right to be forgotten") - data subjects have a right to have their personal data removed from your systems
- The right to restrict processing - you have a right to restrict our processing of your personal data.
You need to understand and have appropriate processes in place to respond correctly should a data subject contact you to exercise any of their rights. If the only personal data you collect is a customer's contact details, and you allow online access to manage account details, then you are already providing a method to access and correct personal data.
The right to erasure might cause a bit of panic but it needn't. It does not mean that you have to immediately delete all sales data relating to a customer, thereby compromising your internal reporting. This right applies to a data subject's personal data, meaning that you can retain data that does not identify an individual person. One approach might be a process to remove or 'anonymise' the personal data (the customer name, address, email etc) from your sales database whilst retaining the base transaction details. You have one month to respond to such requests. This is a qualified right, so there are cases where you might need to justify not erasing personal data when requested to do so - see the ICO website for details.
What will happen if I don't comply with GDPR?
The GDPR gives much greater powers (that those that existed previously under the Data Protection Act) to the supervisory bodies to punish data processors and controllers for breaches and non-compliance. The ICO now has the power to dish out fines up to €10 million or 2% of a company's global annual turnover.