This article is a guide to GDPR for small and medium sized businesses (SME’s). This means businesses with less than 250 employees.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU regulation that covers how personal information (data) is gathered, used and protected.
It comes into force on 25th May 2018 and, in the United Kingdom, replaces the Data Protection Act 1998 (DPA).
Who does GDPR apply to?
GDPR applies to all businesses of any size that gathers, stores or uses personal information. The regulation uses the terms “controller” and “processor” to differentiate between gathering and using data. The controller who decides what data to gather and why. The processor takes action using that data.
For example, if you decide to gather customer contact information for electronic marketing purposes, then you are the data controller. If you give this contact data to an electronic marketing company (e.g. an email newsletter service provider), then they are the data processor.
However, if you send the email newsletters out yourself, then you are both the data controller and processor.
Don’t get too hung up on the terminology. The point is that if you gather, store or use personal data then you are subject to GDPR.
The good news for most SME’s is that the more rigorous aspects of the regulation may not apply to businesses with less than 250 employees.
Is compliance necessary given Brexit?
Yes. GDPR comes into force before the UK leaves the EU which means that business must comply with the regulation.
The government has indicated that UK law will carry over the GDPR provisions, so that there is a seamless movement of data between the UK and the EU post-Brexit.
How do I make sure my business is compliant?
If you are already compliant with the DPA 1998, then complying with GDPR should not be a major task.
In the rest of this article, we’ll look at what you need to do to ensure your business complies with GDPR.
Handling sensitive personal information
All personal information is arguably sensitive, as you can use it identify an individual. After all, this is the reason why regulations like the DPA and GDPR exist in the first place.
However, some personal information is particularly sensitive and could pose a high risk to an individual if the information fell into the wrong hands. Examples include biometric or medical information, sexual orientation, race/ethnicity, religious or political beliefs, trade union membership, criminal offences and so on.
If your business routinely handles this sort of “high risk” personal information, then you must carry out a documented risk assessment. This exercise identifies and mitigates any safeguarding risks and demonstrates compliance with GDPR.
Generally, we would not consider contact information (names, addresses, phone numbers and email addresses) as high risk. Therefore, if that’s the only class of information you have, you don’t need a risk assessment.
Data Protection Officer
If your business activities involve handling sensitive personal data on a large scale, you may need to appoint someone as your Data Protection Office (DPO). The DPO should be independent from both the management and the individuals or team doing the data processing.
There is no clear definition of “large scale” within GDPR but they cite hospitals, banks and insurance companies as examples.
Again, if you’re not handling sensitive personal information then this doesn’t apply.
Privacy Information notices
You have probably seen privacy information notices before, for example on web sites. You may have seen them emailed from social media companies or within lengthy of Terms & Conditions that most people scroll past to click on “Accept”.
GDPR means you must update your privacy information notices, whether that is online or on paper. Or you will need to create one if you haven’t already got one! They also should use clear language and be easy to understand. So what should be in your privacy notice?
There are several areas to cover in your privacy notice…
1. Who exactly are you?
You should clearly identify your organisation. This means the name and contact information for your business.
This is especially important where you have multiple brands or “trading as” identities.
2. What data are you collecting?
Your notice must explain what sort of personal information is gathered. Take a few minutes to note down all the types of personal information you collect and use. For example, names, addresses, phone numbers and so on. This will also help you explain why you’re collecting it.
If you are not collecting information from people directly, you should explain where (or who) you’re getting the information from.
3. Why are you collecting this data?
You need to explain the lawful purpose for collecting and using personal information. This can be one or more of the following…
This is where you have clear and explicit permission from the individual. You must also keep records of when and where the individual gave consent.
GDPR tightens the rules because people have played fast and loose with “consent” in the past. Ever found yourself on a mailing list because you allegedly “signed up with us or one of our partners”? No way of verifying when and where you gave consent? Well, then you’ll understand why GDPR is stricter!
Use this reason if you need the information to fulfil a contractual obligation. For example, if you need certain information to deliver a product or service.
Sometimes, you might need personal information before entering into a contract. For example, gathering a customer’s contact information so that you can provide a requested quote and follow up on it.
There are some UK and EU laws that require you to gather information in certain circumstances. For example, an employer must provide salary information to HMRC, or a financial institution may need certain information to comply with the Proceeds of Crime Act or money laundering regulations.
This applies when information is used to protect the vital interests of an individual. Essentially a life and death situation. For example, getting medical history for someone admitted to a hospital A&E with life-threatening injuries.
Use this reason if your business acts as an “official authority”. For example, your business performs a public function or exercises powers covered by law.
Generally, this applies only to public and state authorities. It could apply to a private organisation carrying out tasks in the public interest, for example a power or water utility company.
This is a tricky one. On the face of it, it seems to be a catch-all. As long as you have a legitimate interest (need), then using the data is okay. Right?
Uh, no – it’s not quite that simple.
There’s a three point test to apply. First, does the “legitimate interest” represent a genuine and reasonable objective? A good example would be fraud prevention. For example, a credit card or insurance company might share client information (without consent) because it has a legitimate interest in preventing fraud.
Second, is the collection and use of the data necessary? In other words, could you achieve the objective in another reasonable and less intrusive way?
Finally, do the individual’s interests, rights and freedoms outweigh your interests? In other words, if your interests are fairly trivial, the impact on the individual is likely to prevail.
A classic example would be direct marketing. You cannot rely on “legitimate interest” to avoid getting consent for sending electronic marketing material to people (PECR requires consent).
4. How are you using the data?
Okay, so far you’ve established what data you are gathering and why. Next, you need to explain how you are using that data.
A common example would be how information is used to either process an order, deliver a service and/or send out marketing information.
You should also explain if personal data is used or shared with any third parties. For instance, if you use a third-party marketing service and provide them with customer contact information for an electronic newsletter.
Also, you should explain how long you will retain personal information. You should only keep data for as long as it is necessary.
5. How are you protecting the data?
You may have personal information in various places. It could be a spreadsheet on a desktop PC or contained in a customer relationship management database. You may simply have a bunch of email addresses in your email client address book.
You should know where you keep all this personal data and how you’re keeping it secure and up-to-date. “Secure” means that no unauthorised person can access, copy, modify or destroy the information.
There are a few things you can consider. If you are keeping personal data on a computer system, is that data backed up? If so, where do you keep those back-ups? Have you got personal data on a third-party network storage service (e.g. Google Drive, Apple iCloud or Microsoft One Drive)? Is it encrypted?
Remember, desktop PC’s infected by malware or viruses can compromise any information stored on the system. Security vulnerabilities on web sites can allow Remote attackers (over the network or internet) can exploit security vulnerabilities in your web site. This gives them access to any information stored on the machine hosting the web site.
You do not need to have all personal information encrypted on disk drives in military grade concrete bunkers stored underground. You simply need to take reasonable and appropriate precautions to protect and secure the data. Ensure your IT infrastructure and anti-virus/anti-malware software is up-to-date. Make sure you know where you’re keeping personal information (including back-ups).
6. Explain individual data rights
People have a number of rights regarding their personal information. These are:
You must inform people about the collection and use of their personal data. The privacy information notice serves this purpose. However, make sure you draw their attention when you collect the information.
People have the right to see what personal information you hold on them. This is known as a “subject access request”. Provide the requested information as soon as possible and within a month at most. Unless the request is obviously unfounded, excessive or repetitive, you cannot refuse or charge a fee for this.
If you decide to refuse access, you must inform the individual of their right to complain to the ICO.
Under certain circumstances, people have the right to restrict use of their data. This means you can still store it but cannot use it. Usually, this happens when there is some other issue to resolve. For example, while considering an objection, correction or erasure request (see below).
You can lift the restriction once you’ve addressed the issue. However, you must inform the individual of your decision beforehand.
If personal information is inaccurate or incomplete, people are entitled to have it corrected. You have one month to comply with any correction request. Again, you can only refuse or charge a fee if the request is unfounded, excessive or repetitive.
This is sometimes referred to in the media as “the right to be forgotten”. Individuals can request that you permanently delete all the information you hold on them. If so, you must comply within one month of receiving the request.
There are a few exceptions, for example if there’s a legal obligation to hold the information.
Individuals have the right to object against the use of their data. However, this only really applies to direct marketing, research or “legitimate interest” uses.
In this case, you should restrict use of their data (see above) while you deal with the objection.
This is a very specific entitlement. It means that people are entitled to obtain their data in a “portable” format. In other words, a structured, common and machine-readable format.
This right applies to automatically processed data, obtained by consent or contractual obligation. The most common example would be bank account transactions that you can download and upload.
7. How you handle data breaches
A “data breach” is any occasion where an unauthorised person accesses, copies, modifies or destroys personal data.
Unless you handle high risk data, you don’t have to include information on how you would handle a data breach. In the event that a high risk breach occurs, you must inform the ICO within 72 hours.
It’s a good idea to think about, though. How would you know that a breach had occurred? A good answer to that question suggests you have good control of your data.
Putting it all together
Phew! After all that, you may feel like your privacy notice will be a twenty page epic!
Probably the biggest task is just thinking about the several points above. But, if in doubt, get in touch and we’ll help you out!