GDPR guide for UK small business ownersSmall Business Advice 19 April 2018
Most businesses are perplexed by the General Data Protection Regulation (GDPR) with the deadline a matter of weeks away. A recent survey from FSB found that over 90% of UK business owners aren’t ready for the new data regulation that comes into force on 25 May 2018. There are serious reasons to become GDPR compliant, with scores of businesses potentially risking huge fines and compensation claims. In this guide we will help you find out what the new data protection laws mean for your business and how you can prepare for the changes.
What is the GDPR?
It’s a new set of laws concerning the secure collection, storage and usage of personal data. Businesses will need clear consent to use data, which must be freely given, specific, informed and unambiguous. Businesses won’t be allowed to receive conditional consent from contracts or consent from pre-ticked boxes and opt-outs. A person’s consent will be invalid if they believed it was detrimental to share their personal data.
What’s personal data?
Information used to identify a person like a name, identification number, location and even cultural or social identity.
What are the main objectives of the GDPR?
- To give people more control over their personal data.
- To strengthen data protection across the European Union (EU).
- To simplifying the regulatory environment, helping everyone benefit from the digital economy.
Do I need to abide by the GDPR as a small business owner?
The GDPR will apply to any business that processes the personal data of EU citizens. Different types of data records must be kept depending on the size of a business.
When is the deadline for GDPR compliance?
The deadline for compliance is on May 25 2018.
For large businesses…
Companies with more than 250 employees must keep detailed records including:
- The name and details of your data protection officer
- A description of each personal data category
- A description of the recipients of this data
- The details of any foreign transfers of data outside the EU, including:
- Documentation proving that data will be protected abroad
- Retention schedules of businesses holding the data
- Descriptions of technical and security measures
For small & medium businesses…
Companies with less than 250 employees will be exempt from the above duties if they only occasionally process the data of EU residents.
Small or medium-sized businesses will need to record the following data:
- Data that potentially risks somebody’s rights and freedoms
- Data that relates to criminal convictions and offences
How will Brexit impact the GDPR? The UK government confirmed that Brexit won’t affect the running of the GDPR. Post-Brexit will see the UK’s own law or Data Protection Act directly reflect the GDPR.
What penalties could I face?
The penalties could be large enough to ruin some businesses. The Information Commissioner’s Office (ICO) can fine up to £500,000. The GDPR will allow fines of up to €20 million or four percent of your annual turnover (whichever is higher). However, a business can avoid a harsh fine by proving their policies and governance are designed to meet GDPR.
What’s the ICO? An independent body set up to uphold information rights in the UK.
How do I prepare for GDPR?
The GDPR applies to two types of data handler – data controllers and data processors. You’ll need to know which category you fall under.
Data controller: a person or organisation who decides what data should be collected and how it should be used.
Data processor: a person who processes data on behalf of a data controller and has no input into how it’s used.
One crucial difference is that data processors have legal liability if a breach takes place. This doesn’t mean a controller is relieved of responsibility, the GDPR places obligations on them to make sure contracts with processors are compliant. Find the GDPR checklists for both data controllers and data processors here.
The 12 steps small business owners need to take before GDPR
The ICO published 12 steps to help businesses get ready for the GDPR.
- Be aware
Make sure your key decision makers know that data protection laws are changing. They can help identify which areas could be affected by the GDPR. Start by looking at your company’s risk register (if you have one). Action: set up meetings and workshops to create a plan of action.
- Become accountable
Document where your personal data comes from and who you share it with. Then let other companies know if you shared inaccurate data with them. All contracts must be reviewed and amended where necessary. Consider contracts with suppliers, this may involve the exchange of personal data. If an external data processor is used, the contract must contain the terms specified in the GDPR. Action: carry out a detailed audit of all the data you hold
- Communicate privacy information
Action: Review your data privacy notices and make the necessary changes. This is a simple way to let people know how you plan to use their information.
- Review personal privacy rights
Action: Check that your procedures cover additional personal privacy rights applied by the GDPR. New personal privacy rights include:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- right not to be subject to automated decision making and profiling
- Deal with requests
Update your procedures and plan how you’ll handle requests based on the new rules. You need to consider the logistics of dealing with more requests. Action: develop an online system so people can easily access their information.
- Know your lawful basis
The lawful basis you use to handle personal information needs to be GDPR compliant. Any changes should be included on your privacy note. You can communicate under several types of legal grounds:
- Your personal data is needed to fulfil an agreement with you
- Your personal data is needed to protect your interests
- Your personal data is needed to protect public interest
Action: review the language you use about handling personal information
- Get customer consent
Action: Review how you seek, record and manage consent and refresh existing consents. This legal basis is undergoing the most change under GDPR and you should read the ICO guidance for more information.
- Protects children’s data
Action: If necessary, use online systems to verify people’s ages and to obtain parental or guardian consent. For the first time special protection for children’s personal data will be used for online services and social media.
- Report data breaches
Report breaches in data security to the ICO within 24 hours if possible but at least within 72 hours. You’ll need to notify other businesses if you shared inaccurate data with them. Failure to report may lead to a fine and a penalty. If there’s a high risk of identity or financial theft, it must also be reported to the data subject. You can find out more about reporting breaches here. Action: report breaches for the loss of a USB stick, theft of a laptop or hacking.
- Carry out DPIA
Identify privacy issues and work out how to solve them by carrying out Data Protection Impact Assessments (DPIA). The GDPR will introduce mandatory DPIAs for businesses involved in high-risk processing.
Action: figure out who will do the DPIA and if the process will run centrally or locally.
- Get a Data Protection Officer
Employ a Data Protection Officer (DPO) if your business handles a lot of data. Their role is to ensure the company complies with GDPR. They’ll be the point of contact for any data protection queries. Action: figure out where the DPO role will sit within your business.
- Think internationally
Identify your lead supervisory authority for processing data if you do business in more than one EU country. This can help you map out who makes decisions about data processing in your business. Particular care must be taken about the inadvertent export of data (for example, by the use of cloud processing where the servers can be anywhere in the world). Find out more in Article 29 Working Party guidance.
The GDPR might seem like a minefield but it’s largely building upon the UK’s existing Data Protection Act. It’s important to make sure your data controller takes responsibility for making sure you become compliant. But you should also examine the above areas so all your bases are covered before the deadline on 25 May 2018.
This note is intended as a general guide to GDPR for small business owners. It is not comprehensive and in order to be of reasonable length and readable it has had to omit certain areas and details. As a result, it is not a substitute for professional or legal advice upon data protection law and practice.