We’re going to answer some of the burning questions we know you may have, like: “What is the GDPR?”; “What does it mean for small businesses?”; “What do I need to do to prepare?”.
With this article, we aim to introduce you to the GDPR and what the upcoming changes mean for small businesses. It might look like a scary list, but we’ll take it step by step so that you’re left feeling a bit more in the know. Without further ado let’s get started on what the GDPR is, and how it can affect you as a small business owner.
The General Data Protection Regulation is a ruling put in place by the European Parliament and European Commission, in an attempt to increase the level of security surrounding the personal data of each and every EU citizen. It will come into effect on 25th May this year, and if your business is found to be non-compliant with the new guidelines, you could receive a hefty penalty.
The changes to regulations will affect all EU citizens, as well as all businesses operating within the EU. If you hold any personal data (this includes any names, photos, email addresses, bank details or medical information) belonging to EU citizens, you are accountable under the GDPR. The new guidelines also apply to any data processors or data controllers too; so if this is you, keep reading!
Once the new regulations come into effect, penalties will be imposed if businesses are non-compliant, or if any data breaches occur and are not addressed within a certain amount of time.
A breach is when any outside entity obtains access to the personal data of an individual without their permission. If you hold any personal data belonging to your customers or members, you have a responsibility to protect that data. If a breach does occur, you have 72 hours to notify the relevant data protection agency as well as the affected individuals, so that the breach can be contained.
For any cases of non-compliance with the GDPR after 25th May 2018, the punishment will fit the crime – big businesses with big breaches may have to pay up to 4% of their global turnover or €20m, whichever is highest. Even if your business isn’t big and your non-compliance is only minor, the penalties will still apply so don’t get caught out.
The Information Commissioners Office (ICO) offer a fully comprehensive “To-Do List” which we have trimmed down to a handy “Top 10 Things To Do” for you to have a think about.
Make sure that the relevant people within your business are aware of the new regulations and what they mean. These VIPs include: data processors, data controllers, and anyone who has access to the personal data of your customers/members.
It might be helpful for you to make a note of any areas where you think that compliance could be an issue so that you can pay particular attention to these. A good place to start is with your risk register if you have one.
If you don’t already have one, make a comprehensive list of all of the personal data that you hold, whom it came from and whom you share it with too. This doesn’t just stop at the data new members/customers provide you with. You need to be sure to keep track of any processing activities such as a change of details. If you don’t do this, it can lead to complications further down the line if you share incorrect information with another party.
Ideally, you’ll already be in the habit of using a privacy notice and will be giving customers/members your identity along with any information regarding how you intend to use their data once you’ve collected it. With the GDPR come a bunch of changes to what you must provide customers/members with, including explaining your lawful basis for processing their data, the retention periods and their personal rights to complain to the ICO if something isn’t right.
Your data processing procedures have to be in line with individuals’ rights, and these have been updated to include:
Whilst you might know that it’s legal for you to process the personal data of your customers, they may not be aware and they have every right to question this. So make sure you can clearly identify your lawful basis for processing the data, so that when you come to answer a subject access request you can explain it.
Consent absolutely has to conform to the following three guidelines:
You must also provide a positive opt-in method, as consent cannot be inferred simply from an un-ticked box or a lack of response/activity. As well as this, consent must be an issue addressed separately from the rest of your Ts&Cs so don’t try to hide it away amongst the small print. Finally, a simple and clear withdrawal method must be made available.
One of the biggest changes to the GDPR is that any personal data belonging to children under the age of 16 will now be protected. This means that you’ll have to consider seeking the consent of a parent or guardian in order to pass on a minor’s data lawfully. Another thing that you should be thinking about with regards to the GDPR in relation to children, is ensuring that your privacy notice is written in language that a child can understand. This could be helpful for adults too if it’s explained in more basic language!
Hopefully this will never happen, but if it does it won’t be a problem because you’ll be prepared! Make sure you know your procedures for detecting, reporting and investigating personal data breaches and be aware of when you need to notify the ICO of any issues. This includes instances when a breach could result in risking the rights and freedoms of individuals in the form of discrimination or financial loss.
You obviously need to ensure that the data you hold is in line with the GDPR guidelines, but you also need to check that your suppliers’ data is too. You might think because they’re not a member or customer of yours that it doesn’t matter, but suppliers are very much included in the GDPR so ask them for proof that they are also compliant. Better safe than sorry!
The ICO has put together a really helpful guide to advise you on all things GDPR-related, so head to their website to have a read if you’d like to delve into this issue even further.
Whilst it’s still dark and cold it may feel like 25th May is ages away. But it’s likely to creep up on you so don’t delay in making the necessary preparations to ensure that you’re compliant. Because let’s be honest… no one has a spare €20m hanging around!
and calculate your budget and timescale