It is the law, the ICO (Information Commissioner's Office) can carry out an audit at any time. Companies and other organisations may be selected randomly. If you decide to do nothing, you could be fined 2% of your turnover for non-compliance. It could also destroy trust in your business
Under GDPR individuals have the right to compensation if they suffer loss or damage as a result of actions or inactions taken by your organisation.
Begin by listing all the information that you and companies you work with hold on your staff, contractors, suppliers and customers, including potential customers. There are various categories of data, defined as personal, sensitive and special category, shown in the three columns on the slide above. Most organisations are prohibited from holding special category data, without explicit reasons for doing so and informed consent.
Other key questions:
- Who has access to this data?
- Is it up to date, correct and complete?
- How is it stored, and is this data stored safely, in password controlled/encrypted files and in locked filing cabinets etc?
- How long do you retain personal data and how is it deleted when no longer required?
The legislation has two categories of data users:
• Data controller: the person or persons who are responsible for the PII data held within an organisation
• Data processor: any person or company that 'process' your PII data, i.e. have access to it. This could include a marketing agency, payroll company, recruitment company, IT suppliers, security company.
Staff Privacy Policies
Your staff must be trained in your Data Protection Policy and their obligations to protect the personal data held by your company. Their compliance must regularly reviewed. Larger organisations must have a Data Protection Officer; smaller companies must assign this role to a named person in the organisation.
INTERNAL DATA PROTECTION POLICY TEMPLATE
Third Party Contractors – Your Data Processors
Do you share any personal information with a third party, such as a payroll bureau, a web developer, a marketing services company, your accountant, solicitor or a cloud service provider?
If yes, you need to put a written agreement in place, called a Data Processor Addendum.
You need to stop sending emails with attachments containing PII data; instead use file transfer apps like Dropbox and manage who has access to these files.
DATA PROCESSOR ADDENDUM TEMPLATE
Electronic marketing – Consent to contact
The Privacy & Electronic Communications Regulations (PECR) are also being updated under GDPR.
By now you are likely to be sick of re-subscribing, ignoring or responding to emails from companies and other organisations who have you on their mailing lists and want to stay in touch with you. If you are developed mailing lists delivered by email or text for your organisation you must comply with PECR.
The rules for communicating with consumers are more strict than marketing to businesses. From 25/5/18 companies & other organisations can no longer send unsolicited marketing messages to consumers. Consent should be sought, as you are not allowed to rely on pre-GDPR consent.
Most organisations are required to request a positive opt-in. However, many organisations are citing a "Legitimate Interest" for staying in touch, which is likely to lead to less erosion of the database.
Here is the Information Commissioner's Office (ICO) definition of legitimate interest:
• That there is a clear benefit to the individual in receiving the communication
• There is a limited impact on the privacy of the individual
• The individual should reasonably expect you to use their data in this way
• That you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Here is an example of an email which covers all the key issues:
"As you may be aware, the General Data Protection Regulation (GDPR) will come into effect on Friday 25th May 2018, which will harmonise existing data protection legislation within the European Union. This means companies have new obligations around the storing and processing of the personal data of their customers/supporters.
Thank you for your continued support"
This legislation was designed to ensure that big companies don't continue to abuse/misuse personal data. It has even been described by one GDPR expert as "corporate law gone wrong", because of the way that small companies and not for profit organisations are also required to comply.
However, that doesn't mean you can ignore it. Ideally all your GDPR policy documents should be checked over by a solicitor.
We may all make mistakes on how we interpret this new legislation; the most important thing for you to do is to demonstrate that you have undertaken your best efforts in complying with GDPR.
There are further documents that you could construct to cover your legal obligations, which can be downloaded from this website.
There is also a dedicated GDPR advice line to assist small businesses prepare: call 0303 123 1113. Select option 4 to be diverted to staff who can offer advice and support
The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Here is a link to their GDPR guidelines
Download this article as a PDF here
Care is taken to ensure this information is accurate. Please use wisely, as your GDPR starting point and consult your own experts for legal advice.
If you spot any errors of interpretation etc please get in touch