New rules on data protection (the General Data Protection Regulations or “GDPR”) come into place on 25th May 2018, replacing the current Data Protection Act 1998. These will affect all businesses but, despite some scare stories, are nothing to panic about.
This guide will give you some brief details of the changes and set out what you should be doing now.
Can I just ignore the changes?
You could, but this could cause you problems in the future (more on this below). So we are advising business owners that they should take steps to comply with GDPR - but to put these in context with the various other risks and challenges facing your business.
The GDPR adopts a ‘risk-based’ approach to compliance. We expect most SME’s that are contacted by the Information Commissioner’s Office or “ICO” (the organisation responsible for enforcing GDPR in the UK)in respect of breaches are likely to receive a warning or reprimand for all but serious cases.
But, as the scaremongers have been quick to point out, the ICO can levy fines of up to the greater of 4% of an organisation’s annual turnover or €20m. Plus there is the reputational damage that a loss of sensitive data could inflict on a business.
What are the main points of the GDPR I need to be aware of?
The GDPR sets out a number of principles which businesses should comply with when processing personal data. Personal data is basically any information about an identifiable living person - so customer details, employee records, or a prospective client database are likely to be caught.
Briefly, businesses must take steps to ensure that personal data is:
- processed lawfully, fairly and in a transparent manner;
- collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and, where necessary, kept up to date;
- not be kept for longer than is necessary; and
- processed in a manner that ensures its appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Businesses should also identify the ‘lawful basis’ on which they process data. One of the most common of these will be processing data with the consent of the individual. Under the GDPR consent will be harder to obtain - probably needing some form of affirmative action, such as actually ticking a box.
Data subjects - the people you hold data on - will have enhanced rights under GDPR. These include the right for them to ask you for the data you hold about them; to forget about them (in other words, delete data you hold about them); and to ask you to transfer that data to a third party. You should consider how you will deal with these.
And businesses will have to notify the Information Commissioner’s Office of all data breaches. If the breach is likely to result in high risk to the individuals, businesses may also have to inform those people.
What should I be doing now?
All businesses should be able to demonstrate that they have considered and taken steps to comply with the GDPR. As well as this being a requirement of the GDPR, many businesses will start seeing their customers and suppliers asking for evidence of this.
We suggest that business owners start with an ‘information audit’. Which is simply documenting things such as - what personal data your business holds; how sensitive it is; where it came from; where your business holds it; what you do with it (and why); how you keep it secure; and how long you keep it (and why).
Without a good understanding of this it will prove extremely difficult to comply with your data protection obligations.
If you would like an outline of an information audit which you might want to use as a starting point, please let us know and we will email one to you.
You should also dig out any policies, procedures or notices relating to data and data protection which already exist within your business and update them if necessary.
You need to document that you have considered the GDPR and the steps you have taken to comply with it. Taking steps to demonstrate compliance (such as doing the audit referred to above) will help reduce your potential liability.
Quite how to do this and how much time should be spent on it varies a great deal from business to business. If you need help with that, please call us and we will help you decide.
More guidance is likely to be produced in the early part of next year as May approaches. Some useful guidance is set out on the ICO’s website. Or please speak to us on what you should be doing.
If you would like further details on GDPR and how these might affect you or your business, please contact Mark Daubney (tel: 01482 316725 or e-mail: firstname.lastname@example.org).