GDPR Basics - What small businesses and organisations need to know!

If you are working within a business or organisation of any kind, you may have been hearing whisperings about "GDPR" being introduced to replace the 1998 Data Protection Act and be wondering what it's all about. 

In 1998, as the new Data Protection Act was introduced, the UK was just starting to move into mainstream public internet access, so our current Data Protection laws are not presently fit for the digital age. GDPR will seek to address this. 

GDPR compliance will look very different for a larger company or organisation than for a smaller business, but here is some information to get you thinking about how you can ensure that your business or organisation is compliant in order to avoid the new huge fines which this regulation will bring about.

So what is GDPR all about?

GDPR is the EU’s General Data Protection Regulation (GDPR) which comes into force in the UK on 25 May 2018. When the GDPR comes into force, it will entirely replace our current Data Protection Act 1998 (DPA) and radically overhaul many of our existing data protection rules.

Some of the precise detail as to how the GDPR will be implemented here in the UK has yet to be decided.

Why is it important?

Because no matter how small a business you are, you have to comply with new regulations regarding the secure collection, storage and usage of personal information. You can be heavily penalised for failing to protect peoples data. a firm could be fined 4 per cent of its global turnover. GDPR states that personal data shouldn’t be kept for any longer than needed. General Data Protection Regulation allows greater protection for consumers and gives them more control over how their personal information is collected, stored, shared and used.

Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations that we will come to that mean they probably still should.

The two central objectives of GDPR are:

1) Give citizens and residents back control of their personal data

2) Simplify the regulatory environment for international business by unifying the regulation within the EU.

What does it mean?

In a new digital world which has progressed since the data protection act of 1998, individuals have more rights dictating how businesses use their personal data. They also have more rights governing being able to request that companies delete data about them which is freely available on the world wide web – i.e. dubious content from their younger self which could now affect job prospects or credibility, or data which a company holds about them which is incorrect or outdated. 

New Individual Rights

• The right to be informed – how your data is being used
• Right to access to your data whan you request it
• Right to rectification of incorrect data
• Right to be forgotten – online and offline.
• Right to restrict processing or prevent direct marketing
• Right to data portability so to be able to move data from one company to another
• Right to objection – if you don’t agree with what it being held.
• Right not to be subject to automated decision making when it comes to data - including profiling

Data is held by companies in many formats, some of which we don't always realise we have. 

They key to GDPR is to demonstrate you are telling people how and where their data is being stored, you are using data only for the purpose it was given for, and you are ensuring procedures are in place to hold it securely.

So consider how regularly you deal with personal data – and that includes present and past employees and suppliers, not just customer data...

Practical examples of how small businesses store data:

• Storing a clients’ number or name/address on your phone, or having their details on a CRM app you can access via your phone. Do you have sufficient security which means someone couldn’t access this.. for example, do you have a lock on your phone, or can someone use the “Hey Siri/Hey Google” function when the screen is locked and access client data. 
• Someone send you a message with a potential new clients number and asks you to give them a call – that message sits on your phone.
• A potential client enquired and now their data is sitting on your CRM, your spreadsheet or email list. 
• You met someone at networking and took their card.. where are those details stored?
• You met someone at networking, took their card… and added them to your email list… more of that later... 
• You have a paper file with all of your customer details and forms in sat on a desk by the window in your office.
• You have been working with a client and you have sensitive information or maybe even their log in passwords sitting in your email account. How are you protecting them.
• Keeping data on scraps of paper, kept in a file which could be easily moved from your desk or lost/stolen on the train
• Keeping files on an unsecured desktop.

THE KEY IS CONSENT 

It's all about Consent, Consent, Consent…

1. Review how you seek, record and manage consent. Refresh existing consents if needed. 
2. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in. Consent cannot be inferred from silence, preticked boxes or inactivity.
3. Consent must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Public authorities and employers will need to take particular care. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data. It's helpful to have a notice of some description stating "by signing this contract you are consenting to”.

From a marketing perspective, the key to being GDPR compliant is to ensure you have consent to marketing to individuals that you hold data for. It seems that daily I receive emails from people I have met networking who have taken my business card and added me to their mailing list in order to start sending me marketing communication. At the moment, this is just "frowned upon". From May 2018, it will be illegal and you could be penalised for it. 

You have to positively opt-in to communications from now on, and it is good practice to go through your current list and send your subscribers a mailing asking them to pro-actively resubscribe. Don't see this as a negative... It could be a good way to clean your email list. 

All marketing mailings MUST have an unsubscribe option available, so no more word newsletters sent to a (hopefully) BCC'd group of people. Newsletters have to be through an online sytem of some decription such as Mailchimp or Aweber. 

If you are signing people up to your list, they have to opt-in for separate mailings. You can no longer just get them to tick a box, or assume if they gave you their email address that they will be happy to hear from you. 

So how can you ensure you are being GDPR Compliant? 

• Have the right systems and processes in place for the safe storage of data – i.e. on a cloud based system or CRM rather than on scraps of paper or on your desktop where it can be hacked and stolen. People need to know exactly how and where their data is held.
•  In a perfect world all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework.
• GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
• It’s a complex task for sure, but one that needs to be carried out to ensure efficient handling of data in the future. Some businesses may think they can achieve compliance by using a complicated spreadsheet. But this won’t help you find the data that you don’t know you have.
• When you understand where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data.
• You’ll also be prepared for Subject Access Requests (SARs) – a request under the DPA used by individuals who want to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.
• Preparation will be key, but GDPR compliance will be an ongoing task that will require careful monitoring. Being aware of the new regulations and what they mean for your business is vital. So don’t stick your head in the sand and wait for it to pass. After all, once the GDPR arrives, it’s here to stay.
• Remember that GDPR IS for all! Be Aware that GDPR is coming and it matters to you. It could impact on your budget and staff time.
• GDPR WIDENS DEFINITION OF PERSONAL DATA Document what personal data you hold, where it came from, who you share it with, may need an info audit. Compliance is not enough. You have to be able to demonstrate you are being compliant.
• Review Privacy Notices – such as ensuring people you tell the how you intend to use their data how long you plan to keep their data for and that indiviudals have a right to withdraw consent or complain to the ICO if they think you have breached GDPR.
• Check how your procedures cover individual rights, including how you would delete personal data or provide it electronically.
• SAR– Subject Access Requests, update procedures and plan how you would handle requests. Must be free and within 30 days.
• Make sure your procedure for processing data is legal and displayed in your privacy notice.
• Make sure clear consent to use an individual's data is being gained. Assumed consent is no longer enough. 
• Consider if you need systems in place to verify individuals ages and obtain consent from parents for data processing. Currently the age of GDPR consent is set at 16, although this could be lowered to 13.
• Make sure you have the right procedures to detect report and investigate data breaches, if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. You have a maximum of 72 hours to report a data breach, although reporting within a 24 hour period is preferred.  
• Designate a DPO – Data Protection Office to take charge of com. Must be able to work independelty of instruction.
• International – work out if you need to adhere to international data laws.
• Ensure any policies you have are written in clear-non technical language.
• Ensure your Privacy Notices are easily accessible & not buried on your website.

The ICO has a good overview of General Data Protection Reform on their website. 

So if you need any help with GDPR or you want to ask us more about it, then please get in touch!