GDPR - What small businesses need to know
The General Data Protection Regulation (GDPR) comes in to effect on 25 May 2018. It will replace the current European legislation (the Data Protection Directive) and the UK equivalent - the Data Protection Act 1998 (DPA). It will affect all companies that handle EU citizens’ personal data, even if the company is not based in the EU.
GDPR aims to make the rules for data collection and processing (where it goes, what it’s used for, and who else has access to it) consistent across the UK and the EU and will ensure that personal data held by organisations is kept secure and only used for the purpose it was collected. While it is primarily intended to protect consumers, it will obviously pose a real cost to those businesses that need to update their compliance.
What counts as personal data?
The GDPR’s definition of ‘personal data’ is much more detailed than the current DPA. According to the GDPR, personal data is;
“any information relating to an identified or identifiable person”
This more detailed update reflects changes and advances in technology as to how organisations collect and record information about people. Personal data could include (but is not limited to);
Name, address and unique identifying numbers;
Demographics—such as age, gender, or income;
Behavioural data — web search history, purchase history etc;
Social data—Social media friends list, email content and address book, etc;
Sensor data—biometrics, health tracking apps and devices etc;
For most organisations that keep HR records, customer lists, or contact details, the change to the definition shouldn’t make much difference. If you are DPA compliant with data collection, you should also be GDPR compliant.
Who will GDPR affect?
According to the ICO website;
“The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”
There are, of course, a couple of exceptions where GDPR will not apply;
"activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.”
What does it mean for SME’s?
All businesses, no matter their size, that are processing and handling data of consumers in the EU, will need to comply with the new legislation. The GDPR broadly expects SMEs to manage their data collection and processing to the same degree as larger organisations.
If you are an SME, do not bury your head in the sand and pretend this doesn’t apply to you. You need to understand the legislation and get a GDPR strategy in place quickly. The fines are considerable; Non-compliant organisations can be fined up to 2–4% of global turnover or 10m/20m euros (if greater) per breach.
What can you do now to be prepared?
Don’t wait until May to get a strategy in place - now is the time to start so you are ready when the legislation comes into effect. Some things you can start doing now to be prepared are;
Consider a data and compliance audit
For a data audit, you need to record all the information you keep for clients, how you got it and who you share it with. The IPO has a free online checker to assess GDPR compliance but you may need to consult a lawyer if your database is extensive.
Set up GDPR policies and procedures
Policies need to be in place both for collecting and managing data, as well as how
you would delete personal data or provide data electronically, in a commonly used format, if requested. You also need to detail what you would do in the event of a data breach. The ICO has more information on this here.
Refresh your existing database with a marketing campaign to confirm consent to hold clients and customers personal data if it doesn’t currently meet the GDPR standard. See this document from ICO for guidance.
Update your website and privacy notices
A privacy notice currently informs people of who you are and how you will use their information. The new GDPR rules will require you to explain, in clear and easy to understand language, your ‘lawful basis’ for processing the data, how long you will keep the data and that individuals have a right to complain to the ICO if they are not happy with how you handle their data. The ICO’s Privacy notices code of practice explains in more detail.
Consider taking a training course to get a good understanding of the processes you need to follow. IT Governance offers a wide choice.
*This blog is for information purposes only. MoGio VA is not a qualified lawyer and therefore this article should not be taken as advice. All information is correct as of time of publication.