Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.
After four years of debating and preparing, changes to data protection rules were finally approved by the EU Parliament in April 2016. And since then, the ‘GDPR’ has been a hot topic.
But is your business ready for the regulation changes coming into action on 25th May, 2018?
This guide is aimed at people running a small business in the U.K. We recommend you digest the information in this guide and read the ICO guidance to comply with the new regulations and avoid significant penalties.
This guide includes:
- What is the GDPR?
- Who does the GDPR apply to?
- What does the GDPR mean for small businesses?
- How can small businesses obtain data under the GDPR?
- What are controllers and processors?
- How to prepare your small business for the GDPR
- GDPR advantages for small business
- What happens if my business does not comply with the GDPR?
1. What is the GDPR?
GDPR is the General Data Protection Regulation. Created by the European Union Parliament, GDPR aims to strengthen the data protection for all individuals within the EU (European Union).
The purpose of the new regulation is to give individuals (also known as ‘data subjects’) more control over their personal data, as well as simplifying rules for international businesses by creating a unified approach to regulation that covers the whole of the EU.
After a two-year transition period, the new GDPR will replace the current Data Protection Act on 25th May 2018. A lot has changed in the world since the present act was created in 1998, and it’s time for data protection to catch up.
This means the way that businesses and organisations in the U.K. store and manage customer data is set to change.
2. Who does the GDPR apply to?
One of the biggest changes that the GDPR brings is that it applies to a broader scope of businesses. All countries that process data for individuals living in the EU must comply with the new regulations – regardless of the business’ location. Even after Brexit, GDPR regulations will still apply to companies within the U.K.
And it’s not just big companies that will need to comply with the GDPR; the new rules also apply to small businesses, including those that have less than 250 employees.
Whether your business stores customer data manually in a spreadsheet or uses an automated digital capture form – the GDPR will apply.
Even if you run a small business but use a larger company to conduct large-scale processing of your business’ data, your business could be breaching GDPR and subject to significant penalties.
3. What does the GDPR mean for small businesses?
The new GDPR means that businesses must change the way they store and manage personal data belonging to individuals.
As of 25th May 2018, individuals will have the right to the following:
- The right to access
Individuals have the right to access their personal data and have the right to know how a business uses it or intends on using it. The company must provide the individual with a copy of their data, for free, and in electronic form, if requested
- The right to be forgotten
Customers can withdraw their consent for a business to use their data and request for it to be permanently deleted.
- The right to data portability
Individuals can request for their data to be transferred from one provider to another and the business must do this via a commonly used, accessible, readable format for the individual.
- The right to be informed
Individuals must be notified by the business before they gather personal data on the individual. This must be done via an opt-in process where the individual gives clear consent.
- The right to have information corrected
Every individual in the EU has the right to amend or update data that is related to them.
- The right to restrict processing
Individuals have the power to stop their data from being used for processing. This means their records can remain in place with the business, but not be used.
- The right to object
The individual has the right to stop their data from being processed and used for marketing activities – without any exemptions. As soon as the business receives the request, they must stop processing the individuals’ data immediately.
- The right to be notified
Individuals have the right to be notified if a data breach has occurred within the business that may compromise their data. The business must inform the individual within 72 hours of becoming aware of the breach.
Should an individual make any of the above requests, the business owner must make sure proper systems are in place to co-operate and respond to individuals accordingly.
4. How can small businesses obtain data under the GDPR?
Under GDPR, businesses cannot presume that individuals give consent for the business to obtain and use their personal data.
This means businesses will have to consider their methods of sales and marketing and ensure that they can prove that the individual agreed for the company to use their data. For example, an individual must ‘opt-in’ to receive a newsletter rather than using pre-checked boxes or small print as a disclaimer.
One way to prove consent for marketing communication was collected is to use a ‘double opt-in’ process. If individuals wish to receive further information from the business or confirm the business can use their personal data, they have to complete a form with a tick box to ‘opt-in’, as well as confirming this action in an email.
5. What are controllers and processors?
The GDPR applies to data ‘processors’ and ‘controllers’.
‘Processing’ refers to any action performed on personal data, such as collecting, recording, storing, organising, sharing, erasing, etc. Processors are any entity that carries out processing.
A ‘controller’ is a processor with additional power. Controllers decide the purpose of the processing activities and methods.
If you’re a business that stores customer details on an app on your phone, this makes you the controller, and the third-party app is the processor.
If you’re a business that stores and manages personal data on a spreadsheet that you have created, this makes you the controller and the processor.
Some businesses store client details on customer relationship management (CRM) software, making the business the controller, and the third-party software the processor. Alternatively, some businesses store and manage personal data manually on a spreadsheet, making them the controller and the processor.
Under the GDPR, processors and controllers are jointly responsible for how the individual’s data is used. Businesses cannot rely on a third-party app or software to manage their data and assume they are complying with GDPR. Even if the business is outsourcing data from another company, it is the business’ responsibility to ensure it has been collected via GDPR compliant methods.
It is also important to note that ‘clouds’ are considered as processors and controllers meaning they are not exempt from GDPR.
Data processors and controllers that fail to comply could be subject to severe fines and owe compensation to the individual for any damage caused by breaching the GDPR.
If a breach occurs, the business must report the security failure to the individual within 72 hours of first becoming aware of it.
6. How to prepare your small business for the GDPR
To get your business ready for the GDPR changes in May, we’ve put together a checklist of actions for small business owners to carry out. We recommend business owners seek the advice from compliance specialists and IT consultants to be fully GDPR ready.
- Establish the current use of data in your business
Be clear on where all of the personal data in your business comes from and document what you do with the data. Note where the data is stored and who has access to it.
- Conduct a data cleanse
Remove any personal information that is not being used or has expired. GDPR will mean that businesses cannot hold on to data.
Things to consider when cleaning up your data:
- Can this data be erased instead of archived?
- What is the purpose of saving all this data?
- What is the purpose of collecting all these categories of personal information?
- Is it more financially viable to delete this information rather than encrypting it?
- Map out safety measures
Put security measures in place to prevent any data breaches from occurring, and take swift compliant action in the event of a violation.
Outsourcing data from third parties does not make you exempt from GDPR. Make sure your data providers have also followed the correct security methods.
- Frequently review business documentation
GDPR will mean new methods of consent for consumers. Using pre-checked boxes and assuming consent will not be acceptable under new GDPR. Individuals need to explicitly consent to a business using their data.
This means no more pre-checked boxes or hidden small print and requests for consent must be situated separately to other policies on your website or communication. Businesses should regularly review all privacy statements and disclosures and adjust them accordingly.
5. Fair processing notices
Under the GDPR, consumers will have the right to be notified of how their data is being used. This is known as fair processing and aims to give individuals clear information on what the business is doing with their personal data.
A fair processing notice should include:
- Why the business is processing the individuals’ data, including the legal basis you have, such as consent.
- The categories of recipients you may be sending the personal data to (customer, employee, supplier, etc.)
- How long you’ll be holding onto the individuals’ data for.
You’ll also need to notify individuals of the existence of their data rights.
- Create compliant procedures for handling personal data
The new GDPR will give individuals more fundamental rights to access, adjust and remove their data. Businesses need to create compliant ways that this can be achieved.
Things to consider:
- How can individuals legally give consent?
- What is the correct process if individuals request their data to be deleted?
- How will the business ensure that the request is met and data is deleted across all platforms?
- How will the business transfer data should the consumer request it?
- How will the business confirm that the data genuinely belongs to the person requesting it?
- What is the plan in the event of a data breach?
- Will you need a Data Protection Officer (DPO) to manage the data?
7. GDPR advantages for small businesses
Being a business that complies with GDPR could bring an advantage to your business over others. No one wants their data to be lost, stolen, damaged or misused, especially given that we are living in a time where regular cyber attacks have become a frightening normality.
If your small business takes the time to comply with GDPR, customers will appreciate that you take their data seriously. This could build trust between you and your customer and serve as an advantage over your competitors.
It is also an opportunity for business owners to essentially clean up their business by assessing the use of their data and establishing which customers are active in the business.
8. What happens if my business does not comply with the GDPR?
Businesses that fail to comply with the new GDPR will be subject to significant penalties. Currently, the ICO (Information Commissioners Office) can fine businesses up to £500,000. But the GDPR allows fines of up to 4% of annual global turnover or €20 million, whichever is higher.
These are the maximum penalties for serious infringements such as using data without the individual’s consent, and fines will be tiered based on the severity of the breach. For example, if a business does not have their records in order, they could be fined 2% of annual global profits instead of 4%.
It’s important to emphasise that these penalties are not just to target big companies, and small businesses will not be overlooked. GDPR fines also apply to both processors and controllers – meaning third-party applications and ‘clouds’ will not be exempt from enforcement.
Even if you run a small business but use a larger company to conduct large-scale processing of your business’ data, your small business could still be subject to steep fines if the company fails to comply with GDPR.