The General Data Protection Regulation (GDPR) is a new set of EU rules governing the collection and processing of data of all EU citizens. It will come into force from 25 May 2018.
There are different rules depending on your industry and size of business for you to consider, but to give you an overview of GDPR, we’ve broken down some of the essential elements and a few things you might want to consider to help you comply. Or jump straight to our GDPR check-up checklist to find out how to stay compliant with the new rules now.
So what is GDPR in a nutshell?
GDPR aims to give people more rights over their personal data, and aims to better regulate the way businesses and keep and store that data too.
Chances are your business has some type of personal data on file about your customers. You may also regularly email customers or potential customers about your business, a special offer, a new product or a service you can offer. If that’s the case, you need to know about how GDPR might affect you.
What is defined as ‘personal data’?
Before getting into the nitty gritty of GDPR, it’s handy to start with some definitions. So what do we mean by ‘personal data’ exactly?
One area that affects how your business needs to act on GDPR is whether you process personal data that could result in 'a risk to the rights and freedoms of data subjects' if lost. Essentially, losing any data relating to someone’s identity, lifestyle or contact information poses a potential risk to rights and freedoms – so most data can be called ‘personal’ in that sense.
Article 9 of the GDPR rules also identifies particularly sensitive data you have to be really careful with. This is information that reveals 'racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership'; or 'genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation'.
How do GDPR personal data laws affect small businesses?
In all likelihood, your employee records, customer details and business contacts will involve this kind of information in some way. So let’s take a look at the main principles of GDPR and how you’ll have to deal with them.
Consent
One of the biggest changes for businesses is the requirement to explain why you need someone’s data, and for some industries to obtain explicit consent to process sensitive personal information and consent to use that data for marketing purposes. For example, if you or your sales team is in the habit of taking email addresses from business cards to add to mailing lists or LinkedIn, you’ll need to start asking first. Consumers also have the right to object to marketing and to withdraw consent too.
Privacy
Once you collect that data, you’ll need to have systems in place that are designed to protect it. Put simply, you have to ensure data is adequately secured, so consider encrypting any database that contains your customers' data, not just password protect it.
Oversight
Because of the controller/processor distinction, for GDPR you will also need to be extra vigilant about which third-party apps and organisations you use. If you keep mailing lists with an online newsletter service like MailChimp, for example, it’s your responsibility to make sure they’re GDPR compliant.
Access and control
GDPR also requires that the data owner stays in control of their information, including the right to the erasure of personal information, the right to obtain and reuse their data, or to move, copy or transfer their data securely. So you’ll need to have a system in place so that any customers, staff or contractors know who to contact to gain access to their data, that they can view it in a 'commonly used and machine readable format', move it from one IT environment to another safely, and tell you to delete it if they wish.
Breach notification
The data owners also have to be told any time there’s a security breach. While this might conjure up images of large-scale hacks, it includes simple mistakes like a contractor being given access to your data or an employee losing a laptop.
Does GDPR apply to all businesses?
The new rules apply to every business that has customers, employees or clients in the EU. The UK government has also confirmed that it will follow the same rules here too in many instances, although this could be subject to change. So, Brexit will not affect your GDPR requirements (although it’s worth remembering that the UK government will be able to change its stance later).
How GDPR rules apply to your business will vary based on whether:
- You have 250 or more employees
- You are a ‘data processor’ or a ‘data controller’
If you employ fewer than 250 people, the main difference is that you aren’t required to hire a Data Protection Officer (DPO) unless you’re involved in systematic monitoring of data or processing sensitive personal data on a large scale.
You may also find the Information Commissioner’s Office (ICO), which will monitor compliance in the UK, is less likely to levy the heaviest of fines on your small business if you slip up.
Data processor or data controller?
The other way GDPR will impact your business will depend on if you are a ‘data processor’ or a ‘data controller’. The distinction between a data controller and data processor has a similar impact on how detailed your compliance plans need to be.
Data controllers are the ones in charge, and determine how data is used. Data processors either collect or analyse data on behalf of a data controller. So for example, if your business pays a salary to staff members through a payroll handling company, your business is the data controller and the payroll company is the data processor.
Controllers must not only meet the GDPR rules themselves, but also make sure any data processors they use also do the same. Data processors must keep records of their compliance in handling their data, even after it’s handed over to a controller.
These rules matter, as companies can be fined up to 4% of their annual turnover or €20 million (whichever is higher) for the most serious breaches. This scales down to 2% for lesser failures, such as not having records in order or not notifying the supervising authority and data subject about a breach. However, these fines only relate to accidental breaches. If you’re suspected of deliberately breaking the rules, you could even face a jail term.
The GDPR check-up checklist
With GDPR’s introduction just around the corner, we’ve gathered the key areas every small business owner should look at to find out if you're already compliant, and what to do about those areas where you’re not.
- Identify your lead authority. If you operate in more than one EU country, you’ll need to use Article 29 Working Party guidelines to identify which authority will oversee your compliance.
- Talk to your team. Share the key points of GDPR with staff and colleagues. The training will help them to get the details right, and they may spot things you miss.
- Audit your data. Break down all the data you currently own, and identify the rules which it must comply with.
- Check storage security. Ensure all databases are password protected and encrypted, and review who can access them.
- Plan to share and delete. Create the necessary contact forms and internal processes to share or delete personal data as requested.
- Review your privacy policy. This must be the new port of call for anyone seeking information about your reason for collecting data, and the way you will use it. Remember to include new rights about how to request data, or its deletion.
- Create a consent process. Revisit your system for data gathering, making sure it clearly asks for consent and has a clear ‘opt-in/opt-out’ option, and shares your privacy policy to explain what you’re doing with the data.
- Consider age verification. If you are likely to encounter children among customers, you’ll need to ensure you can verify their age as you’ll need parental consent to collect and use their data.
- Plan for data breaches. Have a system in place, and a person responsible, for dealing with data breaches. This could include a quick way to contact affected people, and tell them what’s being done.
GDPR takes effect on 25 May 2018, and it’s important that you understand what it means for you and how to stay compliant. For more information, visit the EU’s GDPR home page or the Guide to GDPR prepared by the Information Commissioner’s Office.