As I write this blog GDPR is 50 days away. So what is it and as a small business or organisation are you ready?
What is GDPR?
GDPR (General Data Protection Regulation) is new legislation coming into force from 25 May 2018 which will replace the existing data protection acts. It covers countries in the European Economic Area (EEA) including the UK.
This legislation is not going to be affected by Brexit and any UK laws that come into force after Brexit will run alongside.
It should be noted that it is the person whose data you hold that is covered NOT where you are based. Therefore if you are from the US for instance, but hold data on people from the EU, then you will need to comply.
Why do we need new legislation?
When the existing Data Protection Act came into force in 1998 we didn’t collect and process personal data in the same way as we do now. Technology, cloud based storage, online file sharing, mobile devices have all come into our everyday lives. We store a lot of information using these systems which would not be covered robustly enough under the existing law.
GDPR is to protect citizens and streamline the way personal data is controlled and processed.
It is not designed to ‘trip you up’ but there are large financial consequences for data breaches.
What is ‘personal data’?
The Independent Commissioner’s Office (ICO) states:
‘The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.’
In its simplest form this could mean names, addresses, telephone numbers and email addresses but may include bank account for instance. If a living individual could be identified from the data in your possession, or likely to come into your possession then it needs protecting. This also includes bits of data held separately that if combined could make that person identifiable. Just because you don’t know a person’s name doesn’t necessarily mean they could not be identified.
There is a further category of Special Data which is more sensitive information covering areas such as race, religion, political, health, trade union membership, sexual orientation, ethnic category and genetics. If you collect, hold or process Special Category Data and/or the data of children you will need to comply with further specific regulations.
I’m only a small business so do I need to bother?
Absolutely.
There are some exceptions, for instance not needing to employ a Data Protection Officer, for small businesses but you are not exempt.
If you process or control personal data about customers or potential customers, suppliers, members of the public or employees then you are obliged to protect this data and be able to report on how you do this.
For example, this could be whether your file sharing or back up platform stores data in the EEA or outside (it can be held in the US if they have a EU-US Privacy Shield but must be inside the EEA if it is Special Category data) to how people to sign up to your mailing list (always double opt in).
What data and information do you collect, how you collect it, what you need it for, how you store it and for how long and how you dispose of it.
Imagine your client asks you the above questions about their data. Can you clearly answer them in a way that would make your client feel their information was safe with you?
Now imagine you are the client asking the questions. What would you want to know about your personal data?
GDPR is for businesses only then?
No.
If you are a non-commercial community group such as a parish council or the WI or Scouts and you hold personal data you will need to be compliant.
So what do you need to do?
Firstly don’t panic or put your head in the sand!
Start by putting aside some time in your diary to look at GDPR. There is no getting away from it this a large piece of legislation with 99 Articles but the ICO has broken it down into helpful chunks and has written it in a way most organisations should be able to work through.
Have a read of the ICO’s guides for small organisations and go through their checklist.
Do a data audit exercise listing what data you hold, how you get it, where you keep it, the purpose for holding it, how long you need it for and how you dispose of it. Also audit your hardware, software and apps you use. Contact your software and app providers and ask if they will be GDPR compliant. If not move your data somewhere else.
Don’t forget to look at any manual filing systems you use.
Remember GDPR protects you as an individual but being compliant will be good for your business. Your clients will want to know they can trust you with their information. Include a link to your data privacy policy on your website and your email signature. Be clear and transparent about the information you collect and how it is controlled and processed.
Read up on the requirements and processes that you need to go through if there is a data breach.
If you are not registered with the ICO then check whether you should be (registering with the ICO is changing so look out for updates on this).
For help or more information contact the ICO.