A look into what the key stipulations of GDPR mean for a small business.
The fact that the European General Data Protection Regulation (GDPR) was mentioned in the Queen’s Speech and that it is one of the very few things that won’t change come Brexit, means it isn’t going anywhere, and any business, regardless of size, will be affected one way or another.
Many small business owners will have already earmarked May 25, 2018 as the date when the regulation comes into force, but it’s likely that all small businesses are asking the same question: what does GDPR mean for me and my business?
The simple answer is that it means a lot. Large or small, UK companies will have to comply with new regulations regarding the secure collection, storage and usage of personal information. What’s more, any violations will be met with substantial fines.
The good news is that the GDPR recognises that smaller businesses require slightly different treatment to large or public enterprises. Many aspects of GDPR will only apply to organisations employing over 250 employees but it is crucial that every UK business considers the regulation’s impact. If the processing that your business carries out is likely to result in a risk to the rights and freedoms of data subjects, or the processing is not just occasional, then the GDPR will apply.
What GDPR means
The two central objectives of GDPR are to primarily give citizens and residents the ability to take back control of their personal data and secondly, to simplify the regulatory environment for international business by unifying the regulation within the EU.
For the first time in data protection history, there will be a level playing field. The most important thing to remember about the GDPR is that it’s a regulation; a piece of law that takes effect in every member state.
The driving forces behind GDPR
Think how far computing and our reliance on digital services have evolved since the Data Protection Act was introduced in 1998. The average UK citizen is estimated to have as many as 118 online accounts that potentially include information that could identify them, so something definitely needed to happen to help control how that data is controlled and reduce its exploitation. GDPR is the response.
TalkTalk, Ashley Madison, Carphone Warehouse; the number of high-profile, large-scale data breaches hitting the headlines has increased dramatically in recent years putting the data of millions of citizens at serious risk. Despite the need for a streamlined, consistent regulation throughout EU member states, businesses are still not taking appropriate technical measures to protect the data they process. In the UK, for example, the maximum fine the Information Commissioner’s Office (ICO) – the supervisory authority – could apply prior to GDPR is relatively insignificant for larger organisations.
Key stipulations of GDPR
- Firms of more than 250 employees should consider if they need to employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly. Similarly, as mentioned, this may also apply to small businesses with a work force of under 250 depending on the processing that is carried out.
- Breaches in data security must be reported to data protection authorities such as the ICO in the UK. Ideally, breaches should be reported within 72 hours
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required
- Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s ICO can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4% of annual turnover (whichever is higher)If you’re uncertain as to whether or not GDPR applies to you and your business, start by considering how regularly you deal with personal data – including all employees, both past and present, as well as suppliers – not just customer data. If this is a routine occurrence, then your business needs to adhere to GDPR. The ICO has also stated that any businesses affected by the Data Protection Act will also fall under the GDPR. But the key difference between the two is that the latter will be much stricter in what it defines as personal data; genetic and biometric information will also fall into that category come May 2018.
Having a sound understanding of the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and one where smaller business may find themselves running headlong into trouble without the right processes in place.
Ideally, all data should be securely stored with mechanisms in place that ensure personal data is kept within a security framework, however, this is not always necessarily achievable for smaller businesses.
The GDPR dictates that every piece of personal information held by your business needs to be identified, even if it’s stored on mobile devices or in the cloud, so it is imperative that you understand the processing activities that you undertake. This is especially important for businesses that employ workers who work off site or from home with company laptops. This is certainly a complex task, but it’s a necessary one to ensure efficient and futureproof data handling.
It is worth mentioning that compliance cannot simply be achieved by holding data on a series of complicated spreadsheets; not only will this cause problems due in realising exactly what it is you have, it similarly won’t help you find any data that you’re not aware of. When you understand exactly where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data. You’ll also be better prepared for subject access requests (SARs) – a request under the DPA used by individuals who want to see a copy of the information an organisation holds about them – and the ’right to erasure’, which may require you to identify and erase all of an individual’s data as well as prove that such requests were carried out.
Key changes to consent
The GDPR makes it very clear that consent is not a matter to be taken lightly. Any organisation, regardless of size, is going to have to re-look at the ways it manages consent. Under GDPR regulation, consent has to be granular, specific, withdrawable and ultimately auditable. To kick-start the process, assess your current practices for acquiring consent in order to collect and process data; personal or otherwise.
Ask yourself: “Do I have permission to both have and use this data?”
If you cannot answer that question, then you simply shouldn’t have it but that in itself has potential to cause problems. (Simply deleting it is an infraction of compliance). One of the biggest changes is that consent will now time out and no longer be in perpetuity. As a result, businesses will be looking at a threshold of around two years before having to seek re-consent to hold the same data.
Several companies have already faced penalties this year for sending marketing messages to people who didn’t explicitly consent to receive emails. Honda was fined £13,000 by the Information Commissioner’s Office (ICO) after sending 289,790 emails asking for clarification on whether customers wanted to receive marketing from them. Similarly, airline Flybe was fined £70,000 by the ICO in March for sending an email titled “Are your details correct?” to more than 3.3 million customers.
Let’s take a look at some of the changes to consent introduced by the regulation:
- Consent must be given by the individual. That means saying goodbye to all those pre-ticked boxes. You need to explain what you want to use the data for and, where appropriate, get their ‘explicit consent’.
- Whether you’re a data controller or data processor you must record how consent to use the data was given, who it came from, when, how and what the interested parties had been
- You must avoid hiding consent where they can be overlooked and not fully understood. You must be open, honest and clear about exactly what you want to do with the individual’s information.
What do I need to do to become compliant?
It is essential that your entire organisation understands what GDPR is, as well as each individual’s role in preparing for compliance. To make this happen, you need support from the highest levels in your business right from the start.
The easiest way to do this is to break it down into manageable chunks. Begin with understanding what data your organisation collects. Not just names and addresses, but any information related to cookies, marketing databases, IP addresses – anything that can be used to identify an individual.
Then map your data; what you use, what you collect, what you use it for, who it is shared with. Once you have done this, it is advisable that you and the employees within your business become familiar with the legislation. The ICO break compliance down into 12 easy steps – some of which will not necessarily apply to all organisations such as data held outside of the UK and obtaining consent for minors under the age of 16.
Once you have done that you can then perform a gap analysis; where are the gaps in your compliance? It is important to remember that some gaps will take priority over others depending on what type or organisation you are, what type of data you collect, and what you do with it. From here, you can start to get a project team together. Keep in mind that GDPR is not something that can be passed off to an in-house or external legal or compliance team, because different departments within your business will have their own ownership of the data so it is important to build an interdisciplinary team.
Throughout the implementation process, security should be an integral part of the overall picture. An organisation that has taken security seriously, will be able to show that it has been embedded into every stage of the product lifecycle and conducting security testing of both internal and external systems. Pay particular attention to the data you already possess and develop Data Protection Impact Assessments (PIAs). You may also choose to use this opportunity to train or retrain all employees to better equip them in defending the business from threats such as phishing attacks.
What are the consequences of non-compliance?
If you are not yet actively preparing for GDPR compliance, you are potentially putting both your business and customers at serious risk. Failing to comply with GDPR regulations has severe consequences for companies of any size but are perhaps more considerable for SMBs. The move to a percentage of turnover as a fine reinforces this. In early May, an NCC Group analysis of the £880,500 fines dished out by the Information Commissioner’s Office during 2016 predicted they would have soared to £69m under the new regime. In addition, damage to the reputation of an organisation of any size should not be underestimated; there will be much stricter processes in place to notify users of a breach or if data is lost which in turn has a direct impact on brand confidence, customer loyalty, and of course profit.
In short, being aware of what GDPR means for your business is crucial and whilst undertaking the task of getting your business ready might make you want to bury your head in the sand until it goes away, it’s important to get started now to ensure you meet the requirements in time.
The views expressed on this page do not constitute legal advice and are intended for information purposes only.