GDPR as a small business
What do I need to do for GDPR as a small business?
Let’s start at the beginning GDPR’s predecessor was the Data Protection Act 1998, which hadn’t been reviewed for many years and was deemed not relevant to present-day technologies. The changes introduced with GDPR are designed to reflect the online world we’re living in so that people can continue to protect their privacy and personal data, which is one of the reasons behind the update to data protection law. Therefore on 25 May 2018, the DPA was replaced by the General Data Protection Regulation (GDPR).
GDPR is different from the DPA as the law applies to all businesses and protects more data. The consequences of non-compliance can no longer be ignored. Organisations are obliged to show that they comply rather than merely say that they comply. If organisations get things wrong and personal data is lost or compromised, the likelihood under the GDPR is that they will have to report the breach, and in many cases, this will lead to fines, not least reputational loss, or worst situation prison sentence.
Aside from the legal obligations of GDPR for a small business it is also considered best practice to be managing and controlling the way your business handles, stores and uses your client, staff and individuals personal data. No business is too small to be excluded.
What are the key differences between DPA and GDPR for a small business?
The main point to remember is that every business, no matter how large or small, is responsible for protecting their customer’s personal data.
One of the most essential aspects that a small business needs to be aware of regarding GDPR is that you need a legal basis to process personal information. One of those legal bases is “consent”. This was the case under the DPA and remains central to GDPR. However, under the GDPR, that consent will have to be more specific and more granular. For example, instead of getting consent for marketing by ‘opt out’ or, so-called ‘soft opt in’, organisations will have to obtain separate, specific ‘opt-in’ consent for marketing by email, by telephone and by in-product messaging. Also, under the GDPR, organisations will have to inform individuals that they can withdraw such consent at any time.
Fundamentally the two fundamental principles of GDPR are that businesses must have appropriate legal grounds for processing personal data and do so transparently, and a business can only collect personal information for a specific purpose and only use it solely for that purpose.
What does a small business need to do to comply to GDPR?
Know your data. You need to demonstrate an understanding of the types of personal data your business is handling, storing and processing (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
Also, under GDPR you need to understand and identify whether the activities you use the personal data for makes you a CONTROLLER or PROCESSOR.
Data controller – The person or business that determines how and why personal data is collected. The data controller must ensure the business is fully compliant with GDPR – including transparency, data storage, data confidentiality and accuracy of data collected and stored. They are also responsible for notifying the Information Commissioner’s Office (ICO) if a data breach occurs or data is stolen or lost by your business. A small business owner would normally be the Data Controller.
Data processor – The person or business responsible for processing personal data on behalf of a controller. This encompasses anyone with access to personal information and who uses it in any way, such as creating and sending marketing emails. A processor must ensure data is processed in line with GDPR requirements and record processing activities. They must also follow the businesses data handling and processing protocols and adhere to all security when handling data.
Who is responsible for GDPR in my small business?
Everyone has a responsibility for GDPR in their day to day work, if they are handling, process or manage personal data. Therefore all staff should have GDPR training and a good level of understanding of their responsibilities.
Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO). Their role will be to ensure the company complies with the obligations under the GDPR. They’ll also be the contact for any data protection queries
You are only obliged to have a DPO if you are a public authority or body or if your organisation’s core activities require regular and systematic monitoring of individuals on a large scale, deal with ‘special categories’ of personal data, or ‘criminal convictions or offences data.’ Some activities that would come under systematic monitoring would be tracking individuals’ behaviour, such as on the internet or on CCTV,
Is it just new data we collect that we need to comply GDPR to?
Data you collected before GDRP, as well as new, are included under GDPR obligations.
Both past and present employees, suppliers, clients, and anyone else’s data you’re processing, which means if you are collecting, recording, storing or using their information, such as newsletter recipient you need to adhere to your GDPR obligations for old and new.
What policies do I need?
Regardless of the size of the business you need to ensure you have certain data processing notices, which should be displayed publicly for anyone wanting to view them.
Your documentation should detail how you capture data, how you process and store it, and how an individual can request a SAR. You should also ensure that any time you collect data you provide a link or include details of the FPN so an individual can understand how your business will use their data, the categories of recipients you may be sending the personal data to (customer, employee, supplier, etc)
You must also detail why you’re processing their personal data (the purpose), including the legal basis you have, such as consent and how long you retain their data.
Consent is obtaining permission to hold a person’s data.
You must obtain consent from all new customers but notably all existing customers as well. If you’re are using an exist data subjects personal data or intend to use it, you must obtain consent, even retrospectively.
The consent received must to be clear, specific, explicit and freely given. You need to keep your consent separate from your Terms and Conditions.
Clients, employees or other individuals for which you store, handle or process their data must all provide their ‘consent’ to hold their data. Since the changes in 2018 consent has been tightened. Meaning requests for consent can no longer be hidden in small print but must be presented clearly, and separately to other policies on your website or communications – so you cant have a pre-ticked box, the person must tick the box as a conscious decision to agree.
What this means in a practical sense is that you must clearly explain what personal information your business is collecting and how it will be used (the purpose). The individual must actively agree/consent. If not, you are not permitted to capture and store this data under any circumstances. This includes conditional data collection, where data is collected as a condition of using a service, such as offering an incentive to sign-up to a newsletter and then using that data for marketing.
You must also have a record of the consent, including; who, when and how you gained consent.
But also please ensure you make it clear and easy for people to withdraw consent.
How long can a business hold personal data?
A business cannot hold personal data for longer than necessary, or process it for purposes that the individual isn’t aware of.
You must be clear about why and how you will use the data you store.
Therefore you must define your retention period for the data you hold and how you destroy and dispose of it.
You must record when you first collected a person’s data, how it is handled and how long it is retained for.
Therefore it is often advisable to have a central and robust system that retains all your interaction with your data subject, so you have a transparent audit trail of how your business collected, handles and stores their data.
Often a CRM (customer relationship management) system can help enable this for the smallest of businesses, as you can sync emails and marketing campaigns into it.
What is a Subject Access Request (SAR)?
A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under GDPR. The request does not have to be in any particular form.
There is a legal requirement to reply to the SAR within one month from receiving the request, so you must record the date of receipt of the request.
A SAR can be made for any of the following reasons:
– To know what personal information an organisation holds about them;
– how the organisation is using it;
– who the organisation is sharing it with; and
– where the organisation got the data from.
You must reply to the request within one month from the date of the request, which can only be extended in mitigating circumstances.
What is special category data?
Many people might be more familiar with the terminology sensitive data, however, this is no longer a standard term for this type of data; it is now “special category.”
Most small businesses will be exempt.
Under GDPR ‘special categories’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation.
The impact of GDPR on your suppliers or third party providers?
If as part of the delivery of your service you outsource any part to a third party where they are in contact with any form of personal data, you are obliged to undertake your due-diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You also need to ensure you have the right contract terms in place with suppliers and that you have evidence of their GDPR handling practices.
You can send them a GDPR compliance checklist for small businesses for completion.
The additional clause in the contract you need to include is Article 28(3) of the GDPR. This clause ensures that processors are contractually obliged to provide GDPR-compliant data protection standards. This clause places essential obligations on them, such as the need to notify you promptly if they have a data breach.
What is a data breach?
In GDPR terms a breach is defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A serious breach must be reported to the regulator (Information Commissioner’s Office (ICO)). This should be within 24 hours where possible, but at least within 72 hours and the report must include information regarding what led to the breach.
It is an employer’s obligation to ensure all employees understand what constitutes a personal data breach and build processes to pick up any red flags.
You should also ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
How will BREXIT affect GDPR in the UK?
The Information Commissioner and the UK government has confirmed that Brexit will not affect GDPR, and businesses will need to continue to adhere to the same level of obligations and best practice. It’s also confirmed that post-Brexit, the UK’s law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.