Disclaimer: The advice provided here are our own interpretations and opinions. We have tried to simplify the main points of GDPR to create this guide but for more in-depth information please read the official ICO guidance.
The General Data Protection Regulation (GDPR) is set to replace the current Data Protection Act 1998 on May 25th, 2018. The GDPR comes with increased responsibilities for businesses that collect, store, and use individuals’ data.
While the regulations are set to change how large businesses obtain and manage data, small businesses including self-employed and freelance consultants are also required to comply with the new rules.
Professional consultants could be faced with significant penalties for not complying with GDPR.
This guide includes:
- What is the GDPR?
- Who does the GDPR apply to?
- What does the GDPR mean for consultants?
- How can consultants collect data under the GDPR?
- What are controllers and processors?
- How should consultants prepare for the GDPR
- What happens if consultants do not comply with the GDPR?
1. What is the GDPR?
GDPR is the General Data Protection Regulation, created by the European Union Parliament, with the aim of strengthening the protection of data for all individuals within the European Union (EU).
The rules will give individuals more control over their personal data, as well as a more unified approach to regulation throughout the whole of the EU.
GDPR means that current methods of processing and storing data will change come May 2018.
2. Who does the GDPR apply to?
GDPR applies to any business that processes or stores data belonging to individuals living in the EU – regardless of where the business is based. Even with Brexit, the U.K will still have to comply with the new GDPR.
If you’re a self-employed consultant, GDPR rules will apply to you. Even if you are using a third-party company to conduct your data processing – you could still be breaching GDPR and receive steep penalties.
Some businesses use an automated digital capture form to log data, and some use a spreadsheet to store data manually. Regardless of how you process and store data – GDPR will apply to you and your business.
The good news is that the GDPR recognises that smaller businesses and the self-employed require different treatment to that of large companies.
Article 30 of the regulation states that businesses with less than 250 employees will not be bound by GDPR. However, GDPR will apply to small businesses with less than 250 employees if the processing carried out by the business results in a risk to the rights and freedom of the individual.
GDPR applies to businesses of any size if data processing takes place regularly, or if the processing includes special categories of data as defined in GDPR Article 9.
If you’re unsure of whether or not GDPR applies to you, consider how often you deal with personal data. Whether it belongs to present or past employees, suppliers, customers or clients – if you store or manage personal data on a regular basis, GDPR will apply to you.
Many small businesses consider themselves ‘too small’ to adhere to serious compliance, but even self-employed consultants need to take GDPR seriously.
3. What does the GDPR mean for consultants?
The new GDPR means that businesses must change the way they collect, store and manage an individuals’ data (also referred to as data subjects). This means consultants will have to change the way they capture data as well as how they use it for their marketing, sales and communication with clients.
As of May 25th, 2018, individuals will have increased rights regarding their personal information. They will have the right to access their information, amend it, and request it be removed.
Data subjects will have the right to:
- Access their data
Data subjects can access their data at any time and have the right to know how the business is using it. A copy of the data must be given to the data subject free of charge and in electronic form if requested.
- Be forgotten
Data subjects can withdraw their consent for a business to use their data and request for it to be permanently removed.
- Data portability
Data subjects can request for their data to be transferred to another provider and the business must carry this out via a commonly used, accessible, readable format for the individual.
- Informed of processing
Data subjects must be notified by the business before they gather personal data on the individual, and this must be done via a transparent opt-in process where the individual gives consent.
- Correct information
Every individual in the EU has the right to amend or update data that is related to them.
- Restrict processing
Data subjects can stop their data from being used for processing. This means their records can remain in place with the business, but must not be used.
- Object to processing
Data subjects have the right to stop their data from being processed and used for marketing activities – without any exemptions. The business must immediately stop using the individuals’ data after receiving the request.
- Be notified of a breach
If a breach occurs in the business and the individuals’ data is at risk of being compromised, the business must inform the data subject within 72 hours of the breach.
Consultants will need to make sure they have the correct systems and processes in place to be able to respond to requests from clients.
4. How can consultants collect data under the GDPR?
Many consultants collect personal data by attending networking events, exchanging business cards and then inputting the data into a manual spreadsheet or a third-party app. Under GDPR, this will not be allowed, and consultants that continue these methods of data processing will be at risk of fines.
Instead, consultants will have to prove that the individual agreed for their data to be used. The individual must clearly ‘opt-in’ by completing a form (either on paper or web format) with an ‘opt-in’ tick box and then confirm this action in a follow-up email. This is known as a ‘double-opt-in’.
If individuals wish to receive further information from the business or confirm the business can use their personal data, the individual must perform a ‘double-opt-in’.
If consultants use pre-defined tick boxes and small print disclaimers on their website, emails or other forms of communications, this will be deemed as breaching GDPR.
5. What are controllers and processors?
The GDPR applies to data ‘processors’ and ‘controllers’.
‘Processors’ refers to any action performed on personal data, such as collecting, recording, storing, organising, sharing, erasing, etc.
‘Controllers’ are processors with additional power. Controllers decide the purpose of the processing activities and methods.
Some consultants store client details on an app, making the consultant the controller, and the third-party app the processor. Alternatively, some consultants store and manage personal data manually on a spreadsheet, making the consultant the controller and the processor.
GDPR means that processors and controllers are jointly responsible for how the individual’s data is used. Consultants cannot merely rely on a third-party app or business to manage their data and assume they are complying with GDPR.
Additionally, outsourcing data from third parties does not make you exempt from GDPR and consultants should make sure their data providers have also followed the correct security methods.
It is also important to note that ‘clouds’ are considered as processors and controllers meaning they are not exempt from GDPR.
It is the consultants’ responsibility to ensure that the controllers involved are complying with GDPR.
6. How should consultants prepare for the GDPR?
We’ve put together a short checklist of considerations and actions for consultants to get ready for the GDPR in May. This is just a brief checklist to quickly look at your business and establish any areas you need to focus on. To be fully GDPR ready, you will need to do your own research potentially seek expert advice.
- Establish the current use of data in your business
Consider where the personal data in your business is coming from and what it is used for. Where is the data stored and who has access to it?
- Conduct a data cleanse
Any data that has expired or is not being used should be deleted. GDPR will mean that businesses cannot hold on to data.
Considerations when cleaning up data:
- Can this data be erased instead of archived?
- What is the purpose of saving all this data?
- What is the purpose of collecting all these categories of personal information?
- Is the financial gain of deleting this information greater than encrypting it?
- Map out safety measures
Aim to prevent a breach from occurring by putting safety measures in place, such as updating your data capture methods. Consider what actions you will take in the event of a violation.
- Review business documentation
GDPR will mean new methods of consent for individuals such as ‘opting-in’ instead of using pre-defined tick boxes. Assuming consent will not be acceptable under GDPR. Therefore, consultants should regularly review all privacy statements and disclosures and adjust them accordingly.
5. Fair processing notices
GDPR will mean fair processing for individuals, and businesses must give individuals clear information on what the business is doing with their data.
A fair processing notice should include:
- Why the business is processing the individuals’ data.
- The categories of recipients the data may be sent to (customer, employee, supplier, etc.)
- How long the data will be stored for.
- Notify the individual of their data rights.
- Create compliant procedures for handling personal data
The GDPR will require consultants to provide compliant ways for data subjects to access, amend or remove their date.
- How can individuals legally give consent?
- What is the correct process if an individual requests the deletion of their data.
- How will the business ensure that the request is met and data is deleted across all platforms?
- How will the business transfer data should the consumer request it?
- How will the business confirm that the data genuinely belongs to the person requesting it?
- What is the plan in the event of a data breach?
- Will the business need a DPO (Data Protection Officer) to manage data? A DPO is required for businesses with over 250 employees.
The GDPR will require consultants to monitor their data practices regularly and make sure that compliant systems are in place. As a self-employed consultant, recourses can be minimal, and the thought of meeting these requirements may cause some headaches.
However, it’s important to note that although businesses are at risk of penalties for non-compliance, it’s not all doom and gloom.
Consultants that choose to comply with GDPR could be at an advantage over their competitors. No client wants their data to be lost, stolen, damaged or misused and consultants that take GDPR seriously could gain trust and loyalty from customers and clients.
7. What happens if consultants do not comply with the GDPR?
Businesses that fail to comply with the new GDPR will be subject to significant penalties – up to 4% of annual global turnover or €20 million, whichever is higher.
The fines vary and are subject to the severity of the breach. For example, if a business does not have their records in order, they could be fined 2% of annual global profits.
It’s important to emphasise that these penalties apply to all businesses – regardless of their size. GDPR fines also apply to both processors and controllers – meaning third-party applications and ‘clouds’ will not be exempt from enforcement.
Preparation for GDPR in May is vital. However, compliance should be treated as an ongoing task for consultants. Although GDPR may feel like a major task on the to-do-list, consultants should set aside time to get to grips with it and ensure their business is ready by May.