GDPR and your business
The General Data Protection Regulation (GDPR) came into force on 25th May 2018, designed to enable individuals to better control their personal data. This legislation must be adopted by every business and other organisation in the country, large or small, even sole traders.
Almost certainly it will apply to your business/organisation. You may even have missed the deadline, but that doesn’t mean that you can ignore what is one of the most important pieces of legislation impacting on businesses for decades.
Does it apply to you? Take the test
Does your company/organisation hold any personally identifiable information (PII)?
This is defined as any information that can be used to identify a person. It includes names, addresses, email, gender, DOB, faces, IP address, website cookies, purchases, downloads, payment transactions, donations, education, financial information. See slide below
If you hold any of the above information, you must show that you understand the GDPR obligations, which relate to your employees, your contractors and suppliers, as well as customers/clients. In the case of your customers/contacts etc, you must ensure that you have communicated to individuals that they are on your mailing list and that they have agreed to remain in contact with you.
It is the law, the ICO (Information Commissioner's Office) can carry out an audit at any time. Companies and other organisations may be selected randomly. If you decide to do nothing, you could be fined 2% of your turnover for non-compliance. It could also destroy trust in your business
Under GDPR individuals have the right to compensation if they suffer loss or damage as a result of actions or inactions taken by your organisation.
A large number of small businesses will miss the deadline, but the ICO (Information Commissioner's Office), responsible for the new legislation has stated that small businesses will not be their focus in the first few months, which will be on data intensive companies. However the ICO stress that this does not mean that small businesses are exempt or can ignore this legislation. It is important for small businesses and even sole traders to demonstrate a commitment to GDPR and thatthey have put basic safeguards in place.
The principle behind GDPR is that you only store the minimal amount of information and for the shortest time possible and that it is stored securely.
- Personal data must be acquired lawfully, fairly and transparently
- It must only be held for explicit and legitimate purposes
- The data held on individuals should be limited to what is relevant and necessary for the purpose
- Data should be up-to-date and be accurate
- Data should be kept secure. GDPR covers data held electronically and in paper files. No more lever arch files on shelves; from now on you have a legal liability for all this information and failure to take these measures could result in a heavy fine.
You can have all this sorted using this jargon free guide as a starting point and simple templates, created by GDPR experts, including The DPO Centre (thanks to the North London Chamber of Commerce) and from the ICO website. https://ico.org.uk
Use these templates to create your own GDPR compliant documents. Copy across each section into a word document, insert your company name in the relevant sections and delete the parts that don't apply to your business/organisation.
If you do it this way you will start to understand GDPR and the implications for your business or organisation. one step at a time.
This guide is intended as an introduction to GDPR, to help you to work out what you need to do to protect your business. It is always advisable to have your GDPR documents checked over by your solicitor.
The DPO https://www.dpocentre.com is a specialist consultancy helping companies navigate through this minefield. There are others; if in doubt seek expert advice.
Begin by listing all the information that you and companies you work with hold on your staff, contractors, suppliers and customers, including potential customers. There are various categories of data, defined as personal, sensitive and special category, shown in the three columns on the slide above. Most organisations are prohibited from holding special category data, without explicit reasons for doing so and informed consent.
Other key questions:
- Who has access to this data?
- Is it up to date, correct and complete?
- How is it stored, and is this data stored safely, in password controlled/encrypted files and in locked filing cabinets etc?
- How long do you retain personal data and how is it deleted when no longer required?
The legislation has two categories of data users:
• Data controller: the person or persons who are responsible for the PII data held within an organisation
• Data processor: any person or company that 'process' your PII data, i.e. have access to it. This could include a marketing agency, payroll company, recruitment company, IT suppliers, security company.
Your staff must be trained in your Data Protection Policy and their obligations to protect the personal data held by your company. Their compliance must regularly reviewed. Larger organisations must have a Data Protection Officer; smaller companies must assign this role to a named person in the organisation.
Third Party Contractors – Your Data Processors
Do you share any personal information with a third party, such as a payroll bureau, a web developer, a marketing services company, your accountant, solicitor or a cloud service provider?
If yes, you need to put a written agreement in place, called a Data Processor Addendum.
You need to stop sending emails with attachments containing PII data; instead use file transfer apps like Dropbox and manage who has access to these files.
Electronic marketing – Consent to contact
The Privacy & Electronic Communications Regulations (PECR) are also being updated under GDPR.
By now you are likely to be sick of re-subscribing, ignoring or responding to emails from companies and other organisations who have you on their mailing lists and want to stay in touch with you. If you are developed mailing lists delivered by email or text for your organisation you must comply with PECR.
The rules for communicating with consumers are more strict than marketing to businesses. From 25/5/18 companies & other organisations can no longer send unsolicited marketing messages to consumers. Consent should be sought, as you are not allowed to rely on pre-GDPR consent.
Most organisations are required to request a positive opt-in. However, many organisations are citing a "Legitimate Interest" for staying in touch, which is likely to lead to less erosion of the database.
Here is the Information Commissioner's Office (ICO) definition of legitimate interest:
• That there is a clear benefit to the individual in receiving the communication
• There is a limited impact on the privacy of the individual
• The individual should reasonably expect you to use their data in this way
• That you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Here is an example of an email which covers all the key issues:
"As you may be aware, the General Data Protection Regulation (GDPR) will come into effect on Friday 25th May 2018, which will harmonise existing data protection legislation within the European Union. This means companies have new obligations around the storing and processing of the personal data of their customers/supporters.
Thank you for your continued support"
This legislation was designed to ensure that big companies don't continue to abuse/misuse personal data. It has even been described by one GDPR expert as "corporate law gone wrong", because of the way that small companies and not for profit organisations are also required to comply.
However, that doesn't mean you can ignore it. Ideally all your GDPR policy documents should be checked over by a solicitor.
We may all make mistakes on how we interpret this new legislation; the most important thing for you to do is to demonstrate that you have undertaken your best efforts in complying with GDPR.
There are further documents that you could construct to cover your legal obligations, which can be downloaded from this website.
There is also a dedicated GDPR advice line to assist small businesses prepare: call 0303 123 1113. Select option 4 to be diverted to staff who can offer advice and support
The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Here is a link to their GDPR guidelines
Download this article as a PDF here
Care is taken to ensure this information is accurate. Please use wisely, as your GDPR starting point and consult your own experts for legal advice.
If you spot any errors of interpretation etc please get in touch