The General Data Protection Regulation (GDPR) is a European Union directive that will come into force on 25th May 2018.
Its aim is to create stronger protections of EU citizens’ data by redefining the way companies must approach data privacy.
Most big businesses have spent the last few months preparing for the new regulations, sometimes employing whole teams to manoeuvre the business through to GDPR compliance. Most small businesses employing only a few staff, however, don’t have this luxury, and are likely to be working flat out meeting the needs of clients.
The bad news for SMEs is that there are no exemptions when it comes to GDPR. If your business holds personal information such as names, addresses, HR records, customer lists and even online identifiers such as a computer’s IP address, you could be subject to certain requirements of the GDPR.
However, there are some areas where it is acknowledged that SMEs have fewer resources or that they process lower volumes of non-sensitive data. In these cases, it is recognised that ‘appropriate’ measures implemented by SMEs can be less robust that those of large corporates.
Despite this, it’s important that all SMEs get a plan in place to ensure they comply with the new regulations by 25th May. There is a range of support and resources out there to help businesses through this process, particularly from the Information Commissioner’s Office (ICO) who have created a self-assessment checklist for GDPR and a dedicated advice service for small organisations.
Here are our top tips for complying with the GDPR.
Ensure appropriate staff within your organisation (for micro businesses, this may be all staff) are aware that the law is changing and the implications of non-compliance, including fines of up to €20 million, not to mention damage to reputation. In some cases, the ICO have the authority to order companies to temporarily stop processing data, which for most businesses would stop them from operating.
Review what personal data you hold, where it has come from, what you do with it and who you share it with. It is important to question why you are holding this data and be clear about your justification in law for doing so. Keep a record of your reason for holding this data (for e.g. consent from the individual, contract necessity) to provide transparency.
The definition of consent has been tightened under the GDPR, so that it must now be “freely given, specific, informed and unambiguous”. If you are relying on consent to process a data subject’s personal data, rather than contract necessity for example, then you will need to review how you seek, record and manage consent and retrospectively refresh existing consents if they don’t meet the GDPR standard. The ICO has developed detailed guidance on consent under the GDPR and a consent checklist to review practices.
Review Policies and Procedures
You will need to update your business’ privacy and data protection agreements, providing transparency about how data is captured, stored and shared. In addition, procedures should be checked to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
As part of this process, organisations should identify the lawful basis for processing personal data, and update privacy notices to explain this.
Individuals’ Rights and Subject Access Requests
ndividuals have enhanced rights under the GDPR, and these rights differ depending on your legal justification for processing their data, so it is important to ensure that appropriate processes and templates are in place so that these rights can be met within the new timescales of one month. This includes how you would delete personal data or provide data upon request.
You should also update your procedures and plan how you will handle subject access requests to take account of the new rules.
Protection against Security Breaches
All employees should understand what constitutes a personal data breach, and when breaches need to be notified to the ICO and any individual whose data is affected by the breach. Processes should be put in place for flagging and escalating breaches internally, and for reporting breaches to the ICO and affected individuals.
Additional security measures can also be taken to reduce the likelihood of a breach. If you rely on a third party for IT functions or data storage, for example, ask for assurances about how they protect data. Also ensure all malware protection is up to date and mobile devices encrypted.
Data Protection by Design
The aim of the GDPR is to ensure that the protection of data is built into service and system design from the outset – both in the way that computer systems are designed and the policies and procedures that are in place to dictate how people should use them. By developing ‘Data Protection Impact Assessments’, essentially risk assessments for processing data that the ICO deems ‘likely to result in a high risk to individuals’, small businesses can go a long way towards developing more secure systems and procedures.
For those businesses that hold personal data for children, additional levels of consent will be required under the GDPR. It is important to start thinking now about whether systems need to be put in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity.
More information about steps businesses can take to ensure they comply with the GDPR can be found on the ICO’s guide ‘12 steps to take now’.