Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.
On 25th, May 2018, significant changes will be made to the way businesses collect and store data under the new General Data Protection Regulation (GDPR).
Created by the European Union Parliament, the purpose of the GDPR is to replace the current Data Protection Act 1998, and give EU citizens more control over how businesses use their personal data.
This means businesses in the U.K. will have to change how they store and manage customer data. Companies that fail to comply with the GDPR will receive penalties of up to 4% of annual turnover or €20million – whichever is greater.
1. What does the GDPR mean for tradespeople?
The GDPR means that businesses must change the way they store and manage personal data, and give the individual (also known as a data subject) control over what happens with their data.
For tradespeople, this means their clients, customers, contractors, and any other data subjects, have the right to:
- The right to access their data at any time, free of charge.
- The right to know why their data is being used.
- The right to remove their data and permanently delete it.
- The right to transfer their data to another provider.
- The right to be informed that their data is being collected.
- The right to amend/correct their personal data.
- The right to restrict what their data is used for.
- The right to be notified within 72 hours if a data breach occurs.
The GDPR applies to any business that collects and processes data belonging to individuals living in the U.K – regardless of the business size. This means that even small construction businesses and self-employed tradespeople will have to comply with GDPR.
Do you store contractor details in an app on your phone? Do you use a spreadsheet to log customers’ details? However you collect or process an individuals’ data, the GDPR applies.
If individuals wish to receive marketing information from you or confirm your business can use their personal data, the individual must complete a form or tick a box to opt-in. This can also be followed by an email for the individual to confirm they are happy for you to contact them – this is known as a ‘double-opt-in’.
If you’re a large construction company with over 250 people, GDPR states that you will need to employ or outsource a Data Protection Officer (DPO) to oversee the use of data in the business.
Even if you’re a self-employed tradesperson and use a third-party company to conduct data processing, you could still be subject to significant penalties if the company you use fails to comply with GDPR. For example, if you use an app to store customer details, you will need to make sure that the app has been updated to abide by the GDPR laws.
Additionally, if you store data on a cloud service provider (also knows a ‘the cloud’), GDPR still applies. To ensure your data is secure, check that the processor you use is GDPR compliant first.
If a breach occurs and the data for your customers could be at risk, you must report the security failure to the individual within 72 hours of first becoming aware of it.
2. How do tradespeople need to prepare for the GDPR?
We’ve put together some simple-to-follow steps to help make your business GDPR compliant:
- Consider what personal data you currently collect from customers and clients. Do you need to be collecting the data? Are you handling it in a compliant, organised way? Data subjects will have the right to request their information from you, so the more organised you are, the better.
- Locate where the information you hold is stored, and are these methods approved under GDPR? If you save details manually on a spreadsheet or store them via a digital database, is the data secure?
- Conduct a data cleanse and delete old or unused data. GDPR will not allow businesses to hold on to old data that is not being used or data that is being misused.
- Assess how you collect the personal data. Are you obtaining it in a compliant way? Remember, an opt-out tick box or hidden small print on your website will no longer be allowed as a valid method of consent collection. Tradespeople should review their websites’ privacy statements and any other form of communication with clients thoroughly.
- Provide your data subjects with a fair processing notice to inform them how you are using the data. Are you storing data purely to communicate directly with the individual or are you collecting the data for marketing purposes? GDPR means individuals will have the right to know exactly how the data is used. Make sure you are transparent with your customers, clients, and contractors.
- Put security measures in place to prevent data breaches. Consider who has access to the data and update all passwords frequently. If a violation takes place, inform the data subjects within 72 hours.
A lack of recourse is the main implication for most small businesses, and monitoring data practices could prove particularly time-consuming.
Many tradespeople could benefit from a compliance assessment service. However, these can be expensive at around £1,000 for a bespoke service.
If you choose to carry out your own compliance, we recommend taking time to understand GDPR fully by following the steps in this guide and doing as much research as possible to protect yourself.
3. What happens if tradespeople do not comply with the GDPR?
Businesses that do not take GDPR seriously will be subject to significant penalties.
Depending on the severity of the breach, businesses will be fined up to €20million or 4% of annual turnover – whichever is higher.
These penalties are not just targeting big companies with deep pockets. Small businesses and self-employed people will also receive penalties should they ignore GDPR.