Is your company up to speed on new data protection laws?
With just over a week until the new European General Data Protection Regulations come into force, many SMEs in Wales will have lots of questions about what exactly it means for them. Here, Susanne Matthissen, employment lawyer at Capital Law and GDPR expe
■ GDPR definitely applies to you
The GDPR will replace our existing UK laws on data protection – making it the most significant change in data protection law in 20 years. It’ll mean that all organisations have to change the way they capture, use, and share personal data – both within their organisations, and externally – no matter their size or structure.
If you are a data controller (determining “why” an individual’s personal data is being processed) either based in the EEA or outside the EEA but processing EU citizen data, then you will need to ensure you are GDPR-compliant. Data processors (who process personal data on behalf of a data controller) also have new obligations under the GDPR that will need to be adhered to.
There’s no small business exemption – even if you’re a one-man band. Regardless of your size, you must be GDPR-compliant by May 25 – there is no grace period.
However, it is recognised that smaller businesses may have fewer resources available to them and are likely to process smaller volumes of personal data. As such, what will be considered an “appropriate” security measure for an SME may be less robust than larger organisations – meaning that you might not need to undertake some of the more rigorous GDPR compliance requirements.
■ You’ll need to think about what you’re doing with data – and why
You will need to understand what personal data your business processes, why you are processing it and what legal basis (under the GDPR) applies. It is also important that you are clear on where the information is obtained from (direct from the individual or from a third party) and who you might share it with.
You will need to have privacy notices (also referred to as fair processing notices) explaining to customers, employees and third parties what you do with their personal data. The GDPR requires more information to be disclosed in your privacy notices – if you already have privacy notices, check they are in line with new requirements.
Traditionally, organisations have relied on consent to process personal data. This has historically been obtained through a variety of (sometimes discreet) means – employment contracts, terms and conditions, or the option of an opt-out or preticked consent box. The GDPR introduces a much higher bar for valid consent – it can no longer be wrapped up in terms, it must be a positive opt-in and the individual must know exactly what they are consenting to. Any existing consents must be checked for compliance – you may need to obtain new consents for existing customer processing, particularly for marketing.
However, you may not always need to obtain consent to process personal data – first check if there is another legal basis you can rely on for the processing.
This doesn’t just apply to your customers or clients. If you’re an employer, you’ll have to think carefully about the legitimate business reasons for collecting and using employee data – and relying on these reasons.
Where you do rely on consent, you will need to take a granular approach, with specific consent for each different use of personal data. For example, when emailing a receipt to a customer, you are unlikely to be able to also send details of the latest offers or promotions based on page views, profile or past purchases, unless the customer has signed up to receive marketing communications based on profiling or the “soft opt-in” rules apply.
You will also need to be aware of what data subject rights apply to your processing activities. There are eight rights of individuals that you’ll need to understand, know when they apply, and be prepared to deal with:
■ Right of access
■ Right to be forgotten
■ Right to be informed
■ Right to rectification
■ Right to restrict processing
■ Right to object
■ Rights related to automated decision making/profiling.
■ There are consequences if you don’t comply
From May 25 – when the regulations come in – you must be compliant. There is no period of flexibility, so you need to start preparing now.
If you don’t comply with the new laws, you’ll be open to enforcement action – which could damage your reputation, as well as your bank balance. The maximum penalty that you could be facing is up to £17m – or 4% of your global turnover, whichever is higher.
And, if you breach GDPR – whether intentionally or accidently – in certain circumstances you must report it to the Information Commissioner’s Office (ICO) and potentially to the individuals whose data has been breached. If you don’t, you’re opening yourself up to two fines – one for not reporting the breach, the other for the breach itself.
It is important you and your employees are able to recognise a data breach and know when and how to report it in line with these new requirements.
■ Expect people – your employees and customers – to be clued-up
It will be increasingly important for you to be able to demonstrate that safeguarding your customers’ personal data is at the heart of what you do – both for the new “accountability” principle and for business relations.
Under the GDPR, individuals will become increasingly aware of their rights – particularly in light of recent data protection scandals flooding the media.
Transparency is key and this is where your privacy notices will be important – if an individual suspects you’re breaching their rights, they can complain to the ICO, who’ll take any complaints seriously.
If you tender for business with larger organisations, they will expect you to have GDPR compliance in place – update your practices, policies and terms and conditions now to stay ahead of the competition. Many businesses see GDPR as an opportunity for to update their business practices.
Where you engage a data processor (IT services, for example), you must update your contractual terms with them to include mandatory data processor clauses for GDPR compliance. If you are a data processor, expect data controllers to be in touch with requests about this.
■ There are tools to help you understand what you need to do
GDPR can seem daunting – particularly if you’re a very small business. But all the action that you need to take is relative.
If you’re a one-man-band, you won’t be expected to have the same data protection measures as Google. You just need to make sure that you’re compliant with the key principles of GDPR and put in place measures that are suitable for your business.
And you don’t have to work this out on your own; there are several handy tools that can help you.
Firstly, the ICO has developed an entire section on understanding GDPR – with a dedicated advice line. This service is aimed at smaller businesses who’re struggling to prepare. In addition to its new phoneline, they’ve also developed a “12 steps to take now” document – to help prepare you with targeted information, as well more detailed GDPR guidance.
Secondly, the ICO has recently developed a “lawful basis” tool. This will give tailored guidance on which legal basis is likely to be most appropriate for the data processing your business undertakes. It’ll give you an “indicative rating for each lawful basis, based on your answers to key questions, with advice on suggested actions and links to relevant guidance content”.
Using tools like this can really help businesses of all shapes and sizes to work out what legal basis they can rely on for their processing activities.
Almost all organisations process personal data – whether HR or commercial – and, under GDPR, you’ll need to be clearer about why and how you’re doing that.
The ICO’s tools will make it quicker and easier to check and better understand how any processing activities fit in with the law, which will be key for accountability.