GDPR - Getting Your Business Ready
Are you struggling to understand what you need to do to comply with the new General Data Protection Regulation (GDPR)? In this article we will try and demystify what it all means for small businesses and sole traders. We'll give you some pointers and some ideas of the things you might need to do in order to comply with the GDPR. If you run your own business and use personal data from customers for routine purposes, then this is for you.
The GDPR applies to any entity (person, business or organisation) who processes personal data or any entity who processes data on behalf of another. Personal data is any form of information that can be related to a specific person, regardless of whether the data is collected as part of a B2C or a B2B interaction. The obvious examples are name, address, phone number etc. Less obvious examples include photographs, geolocation data, biometric data, IP addresses and more.
Some types of personal data (such as medical information) have greater protections under GDPR and data controllers and processors have to do more to comply with the GDPR if they use such data. Some types of processing, such as automated profiling, also require additional justification and safeguards.
The Information Commissioners Office (ICO) has produced a large body of guidance information for businesses. One of the most useful overviews, in our opinion, is their '12 Steps to Take Now' infographic. It's worth having a look at and we'll talk about each of the steps below, and how they could apply to small businesses.
GDPR Preparation - the 12 steps
- Information you hold
Make sure that you and those you work with understand how GDPR is likely to affect your business. Given that data privacy applies to both electronic and paper records, anyone who deals with customer or staff data needs to be briefed.
Action point: tell your staff about GDPR, find out more first (from the ICO website) if you're unsure.
You need to understand what personal data you collect, why you need it, how you use it, store it, how long you hold it for, who you share with and how it is kept safe.
One of the new requirements of the GDPR is that you need to keep a written record of your processing activities. So, you need to produce (and keep up-to-date) a document recording this information. Unless you've already done a review of personal data before you're likely to need to sit down an do a 'data audit' i.e. go through your systems (paper and electronic) and document the personal data you collect.
If you have a website then don't forget to document any cookies your website uses - cookies are personal data too.
The ICO have a sample spreadsheet for data controllers you can download to use as a starting point. You will probably end up deleting some of the columns since they won't be relevant, but it's still useful. If you have previously registered with the ICO as a data controller then the information you provided with your registration is the starting point for completing your new record of processing activities.
Both the GDPR and the Data Protection Act, which it replaces, say that you must
- only collect and process the personal data that you need,
- only use it in the way you said you would,
- keep the data up-to-date,
- keep it for no longer than necessary.
When carrying out your data audit you may find that you are collecting data you don't need and can't justify. Now is the time to update your processes so that you are processing the minimum amount of personal data you need.
If you hold more than basic personal data then you may need to implement a formal data retention process i.e. actively remove data that is no longer needed after a specified period. Whether you have a formal data retention policy or not it's still good practice to periodically review what personal data you hold and see if there is any you no longer need and cannot justify retaining, and then remove it.
Action point: create your data audit spreadsheet.
You are already required to provide certain details when you capture personal data, including:
- who you are
- what you use personal data for.
Under the GDPR you also have to provide details of:
- the lawful basis you a using to process personal data,
- the data subjects' right to complain to the ICO
- your data retention policy.
The ICO places a great deal of emphasis on good communication: making it easy for data subjects to understand how their data is being used. One of the practical recommendations is to present information in a 'layered' approach i.e. the key points where most relevant and then a longer summary available elsewhere. This applies to both paper forms and websites. There are some good examples here: ICO Privacy Notice Examples. We've updated the data privacy clauses in the template Privacy Notice we offer, as well as our range of T&Cs legal templates to help you provide the relevant information.
Individuals already have a wide range of rights relating to personal data. The GDPA introduces a new right to 'data portability', and means that the data subject can ask for a copy of their personal data in a sensibler, machine-readable format (free of charge).
Now would be a good time to review your processes and make sure you know how you would handle the situation where a data subject:
- requests access to their personal data
- requests to have their data erased (the 'right to be forgotten')
- asks you to stop using their data (withdraws consent)
- objects to your use of their personal data.
Action point: make sure you know what you need to do when data subjects exercise their legal rights.
Data subjects already have a right to request to see what personal data you hold about them. What's changed under the GDPR is:
- you can't charge anything
- you have to respond to a SAR (subject access request) within one month rather than the previous 40 days
- you can refuse or charge a reasonable fee to satisfy requests that are manifestly excessive or unfounded
- if you refuse a request you have to reply promptly (and within 30 days) and you must tell the data subject why you have refused and inform them of their right to complain to a supervisory authority (the ICO).
Most commercial websites allow customers to view and update their personal details themselves. If you process simple personal data and provide secure access via your website then you may have nothing further to do other than to direct a data subject to the correct section of your website. If, however, you process personal data that is not available online to the data subject, then you may have more work to do to fully satisfy a SAR.
Action point: know how you will provide personal data in response to a SAR.
You need to know and communicate why you are legally allowed to collect and process personal data. We gave a brief overview to the concept of 'lawful basis' in an earlier blog article.
The concept of these legal reasons that allow you to process personal data existed before the GDPR but will now play a greater role. You need to identify which lawful bases you are using. It may well be that you can rely on more than one lawful basis, and perhaps different bases for different types of data.
Action point: understand the 6 lawful bases and identify which you will use
Consent is one of the lawful bases for processing personal data. Relying on a data subject's consent to process their personal data is not the easy option: obtaining valid consent under the GDPR is stricter than under previous legislation. To meet the GDPR standard consent must be:
- Freely given - a true choice and not a condition forced on the data subject to gain access to other goods or services<./li>
- Specific - the data subject is giving consent for specific data for specific purpose(s) i.e. no blanket consents.
- Informed and unambiguous - you must clearly and concisely explain why you need the data and what you will do with it in a way that the data subject will understand.
- A positive opt-in - no pre-ticked opt-in boxes (this is not new to GDPR).
- Easy to withdraw - the data subject must be able to withdraw consent, at any time, as easily as giving it. Once consent is withdrawn you mus stop processing the personal data.
- Documented - you must have a way of recording when and how consent was given. It may be that you need to change your processes or website to record a date when a data subject gives consent (and potentially withdraws it).
If you rely on consent for any aspect of personal data processing, then you need to make sure that the consent you have meets the new GDPR standard of valid consent. This also covers consent for things such as sending marketing emails (although there are other regulations that cover e-marketing in more detail).
You may have already received emails from large organisations, asking for you to continue to allow them to send you emails - these organisations are making sure that they have valid consent.
Action point: check that you have valid consent (including date), renew consent with data subject if necessary.
Certain types of data breaches have to be reported to the ICO, and within 72 hours of becoming aware of the incident. In some cases, you will also be obliged to contacted the people affected directly.
A data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data". So, a hack into your customer database would qualify as a breach. Whether you would need to report it or not would depend on your assessment of the likely impact. If it's likely that the breach will have a negative impact on the rights and freedoms of people affected, then you may well be required to report the breach to the ICO.
Failing to report a data breach that should be reported could be expensive: the ICO can issue fines of up to 10m Euros or 2% of your annual turnover.
All data breaches should be recorded, whether they are reported or not.
Action point: make sure you understand security you have in place to protect personal data and know how to identify when a breach has occurred.
The GDPR introduces extra protection for personal data collected about children. Consent, as a legal basis for processing a child's data, must be obtained from a legal guardian if the the child is under the age of 16. So, if you are providing online services aimed at children and rely on consent to process their data, then you may need to change your website and offline processes to make sure you obtain lawful consent.
Action point: make sure any consent you obtain to process childrens' data is valid under the new rules.
The GDPR says that data controller and processors have a general obligation to implement technical and organizational measure to implement data protection. 'Privacy by design' is a key theme and this means that data protection should be part of the design of any system, product or process from the very start: not bolted on as an afterthought.
As part of the design process, you are required to carry out a Data Protection Impact Assessment (DPIA) where data processing is likely to b of high risk to individuals. A DPIA is a design tool (process) you use to help you identify likely data privacy issues and help reduce data privacy risks.
It would seem unlikely that small, straightforward e-commerce website would need to carry out a formal DPIA, but it's a possibility. Of course, you should be considering data protection risks at all stages. The ICO website provides plenty of information about DPIAs, if you want to read more.
Action point: ensure that the philosophy of 'privacy by design' is understood and adopted. Understand when you are required to carry out a DPIA.
A Data Protection Officer (DPO) is someone who is formally appointed to help your business comply with data protection laws and act as an official contact for data subjects and official bodies. You have to appoint a DPO if:
- you are a public authority
- your main business involves large-scale, regular and systematic monitoring of individuals
- your main business involves large-scale processing of special ('sensitive') categories of data or data about criminal convictions and offences.
So, the majority of small on-line business are not obliged to appoint a formal DPO. It's still a good idea, however, to decide who will be responsible for making sure your business complies with and keeps up-to-date with the GDPR and other data privacy legislation.
Action point: decide who will be responsible for GDPR compliance and appoint a DPO if necessary.
If your business operates in more than one EU country then you need to identify and record which 'supervisory authority' you need to answer to. This is relevant if actually operate (not just sell) in more than one country i.e. you have offices, factories etc in more than one EU country, OR if you engage in some form of cross-border processing that substantially affects individuals in other EU states.
Action point: identify your relevant supervisory authority (which will be the ICO if you operate only in the UK)
Finding out more about the GDPR
There's still time comply with GDPR requirements, but don't delay. The new regulations come into force on 25 May 2018.
For small businesses that do straightforward processing of basic personal data the burden is not huge, but act now. The ICO website has published a lot of information about what GDPR means to organisations and what you need to do. We've also written a series of blogs specifically for small businesses, highlighting those aspects of GDPR that are likely to be the most relevant.