How Can Small Businesses be Sure of Complying with the New GDPR?
As the UK quickly moves towards the enforcement date of the new General Data Protection Regulation (GDPR) later this month, it is likely some smaller businesses are still not one hundred per cent sure if they have fulfilled the requirements. The directive took four years to prepare, and aimed to standardise data protection across the EU, meaning it is the most significant update in this area for 20 years. It was approved in April 2016, meaning UK businesses have already had two years to prepare. However, we understand that when a new, seemingly complicated, law is introduced the day-to-day running of your business can get in the way and sometimes (just sometimes) we all bury our heads in the sand.
Below we have created a simplified list of requirements it so you can take a breath and feel confident about the changes that come in to effect on 25 May 2018. If you are conforming to the current Data Protection Directive 95/46/EC then much of your existing management of data will be valid but there are new elements that you must quickly abide by. Nevertheless, if you think your company may have some adjustments to still make to its processes and documentation, and require guidance, please contact us about meeting with of our business advisers.
Who in the Company is Responsible?
The GDPR applies to ‘controllers’ and ‘processors’. Processors work on behalf of the controllers to process personal data; these people are legally liable for contraventions and must maintain the records accurately. Controllers define the way in which personal data is processed and the purpose of that action; obligations on these people include ensuring contracts with processors comply with the GDPR. Someone in the business should take responsibility for data protection compliance, but a formally designated Data Protection Officer (DPO) is only required in some situations; more information can be found here.
Identify Vulnerable Areas and the Valid Lawful Basis for Processing Personal Data
The controllers and processors, and other key decision makers must quickly identify where any new issues in compliance might lie. If you have a risk register, this is good place to start, but with three weeks before the deadline you may now need to bring in an expert to help you understand and negate the impact rapidly. There are now six available lawful bases to choose from in order to comply, and although having a legitimate reason for holding data is not new, there are additional requirements on transparency and accountability.
> Ensure you can’t achieve the same purpose in a reasonable manner without processing
> The bases are: consent, contract, legal obligation, vital interests, public task and legitimate interests
> Choose the lawful basis wisely, before you begin processing, and document it, as you should only amend with good reason
> Include your lawful basis and the purposes of the processing in your privacy notice
There are currently not many practical implications in this area, but the rights of individuals will become effected under the GDPR, for example, when consent is the lawful basis, people have a stronger right to have data deleted.
Undertake Data Protection Impact Assessments Where Required
A privacy by design approach is required by the GDPR and in some cases, where processing is likely to result in a high risk to individuals, Data Protection Impact Assessments are mandatory. For example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals or where there is processing on a large scale of the special categories of data. The ICO’s Code of Practice for DPIAs can be found here, and if you cannot address the high risks, the ICO should be consulted.
Comply with Consent Measures - Seeking, Recording and Managing
The ICO has published detailed guidance and a checklist to help businesses review and refresh their consent practices; the key considerations are having opt-in consent, it must be freely given, it must be specific to the data, be clear and the person should feel informed in order to the decision. If you currently process data with consent, it is crucial it meets the new GDPR criteria. If it doesn’t you must get new compliant consent or utilise a new lawful basis; if you are unsure you may wish to seek advice from a business adviser to ensure it is “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn”.
Document Everything to Illustrate Compliance
What personal data do you hold, where did it come from and who is it shared with? An information audit may be required across different parts of the business, and policies and procedures may need to be updated. Records must be maintained, and if any inaccuracies are found, all parties involved must be given the information so evidences can be amended accordingly.
Be Prepared to Identify and Report Data Breaches
You will be legally required to notify the ICO of a data breach in the event of a risk to the rights and freedoms of individuals; if the risk is high, you will also have to notify the people concerned. Examples of rights and freedoms include, financial loss, loss of confidentiality or damage to reputation. When reviewing procedures to ensure detection, reporting and investigation can be undertaken lawfully, it may be worthwhile categorising data so that if a breach occurs you know without difficulty whether it is reportable to the ICO or individuals. Breaches and failures in reporting breaches can result in fines. If your company required assistance in developing policies and procedures for managing data breaches, Adams Moore can advise and assist.
Communicate Transparently with the People Whose Data is Processed
Currently certain information, such as your identity and how you intend to use any data, must be communicated to people, but the GDPR requires additional disclosures. This can be imparted via a privacy notice, and must include the lawful basis, the data retention period and that a complaint can be made if the person is not content with the way the data is processed. You can view the ICO’s privacy notices code of practice here, which reflect the new requirements.
Ensure the Rights of the Public are Covered in your GDPR Measures
Individuals’ rights now include the right of access, to rectification and to restrict processing, to name just three so you must detail how each right can be met, for example, how you would retrieve and provide data to an individual or company in a commonly used electronic format. Any requests cannot be charged for and must be handled within one month unless the bid is considered excessive so review your procedures and consider whether the logistics of requests will negatively impact your current methods. The ne right to data portability should also be focussed on; it applies when processing is based on the individual’s consent, for the performance of a contract, when personal data has been given to a controller and when processing is carried out by automated means.
Ensure Children’s Data and Verification is Compliant
The GDPR is facilitating special protection for children’s personal data, a new area that is particularly pertinent for commercial internet services or ‘information society services’, which includes social network sites. You will now need a parent or guardian’s consent for those 15 years of age and under if consent is relied on to collect and process information about the minor; this also means the person’s age must be proved and parental responsibility consent has to be verifiable to operate lawfully. It will also be important to ensure your privacy notice is written appropriately so that children will understand it.
Contact Adams Moore for advice about the way your business meets the new GDPR legislation by calling 01827 54944, or use our contact form.