Need help with GDPR? Talk to us about your concerns.
What is GDPR?
- What is GDPR?
General Data Protection Regulations – new rules that change the existing Data Protection legislation. Many businesses are not aware that it exists.
- When did it start?
25 May 2018 .
- Who does it apply to ?
All businesses and organisations that keep (control and process) Data
- What is data?
Information about an individual who resides in the EU sufficient to be able to identify them.
- What do businesses/organisations need to do?
Take positive steps to manage any data in a way that is proportionate to the size of the organisation/business.
- What is the point of GDPR?
To ensure that Data is treated for what it is – a valuable asset. It is annoying for big companies to trade it and use it for marketing, whether you want it or not. It is also dangerous in the days of cyber-crime if it falls into the wrong hands.
Is the threat of fines real? Should you be worried?
- Will you be fined for non-compliance?
Much has been made about large fines for non-compliance with the new rules. In reality, does the ICO really have the resources to check every small business is complying with the rules? No of course not.
- Who will be the main targets for being fined?
The new rules were intended to bring into line the large companies with large marketing departments who use people’s data like confetti. They will be expected to comply fully as they have the staff and budgets to do so.
- So will small businesses be fined?
Never say never but the overall aim will be to instruct and guide them towards compliance. As we said yesterday, what they expect is proportionate to the size of the business.
- Which small businesses are most at risk?
Those that flagrantly ignore the new rules and have people report them to the I
First Steps – What personal data do you hold?
- What is Data?
Firstly you must work out what Data you process. Data for GDPR is any information that you process that identifies an individual. This includes digital, printed and handwritten.
- What is Information?
Information includes a name, address, email address (work and personal), telephone number.
- What does it mean to Process Data?
GDPR applies if you Process that Data. In this context Process includes collect it, store it and delete it. This is wider than just using it for marketing. Strictly speaking it includes collecting Business Cards but it remains to be seen how that will apply in practice.
- What you must do when you collect Data?
At the point that you collect any Data you must now tell the Subject what you are going to do with that data. You must then stick to what you have said. If you are going to send them a Newsletter you must tell them that.
What initial steps must you take when you collect Data?
The first thing is that you should establish that you have the legal right to process the Data. The new rules give six legitimate reasons, although some will rarely apply to the small business:
- Consent – probably the main one. For this to apply the individual must have given clear informed consent for their personal data to be used for a specific purpose. This means that if the consent is to receive a newsletter, then that is all that should be sent, not offers etc.
- Contract – this is where a contract exists between you and the individual and this data about them is essential to complete the contract.
- Legal Obligation – when you need the personal Data to comply with the general law. An example is employees data that is needed to comply with the rules of HMRC.
- Vital Interest – necessary to protect someone’s life.
- Public Task – necessary to perform a task in the public interest or for official functions.
- Legitimate Interests – a bit vague and needing clarifying.
What these terms mean will only really become clear when they are applied to practical cases. What do you tell the person at the point you collect their Data?
This must include exactly who you are and the specific reason you will use their data, together with the Legal Basis for doing so. Whatever specific reason you give, you must keep to that.
The list given on above of the six legal rights is very dry and in practice will need time to show exactly what it means to the small business.
The ones of most importance are:
- Contract – you need the information to complete the contract, e.g. if you need to deliver goods you need a name and address. Sense would indicate that a telephone number and email would be useful in case of problems, but how far sense goes remains to be seen.
- Legal requirements – you need information to complete returns to HMRC and be able to justify them for at least six years. You collect data under Money Laundering Regulations.
- Consent – this is mainly to send out marketing materials. It has to be specific and accurate for the actual marketing being used, e.g. a newsletter.
The Privacy Notice
All businesses that process Data need a GDPR compliant Privacy Notice. This will cover a wider range than the Privacy Policies many currently have on their websites.
The Privacy Notice should be given to the individual when you first collect their data and you should also have it on your website.
The contents will vary according to each individual business but will include:
- What information will be collected and why
- The legal basis for this
- How long it will be kept
- Who will you share it with
- What the rights of the individual are
These need to be individually and accurately drafted.