With GDPR due to come into force in May this year, we have a more in-depth look at the key points surrounding GDPR and what preparations SMEs should be making to ensure that they are fully compliant with the new regulations.
The General Data Protection Regulations (GDPR) are a set of EU-wide regulations relating to how companies deal with personal data. The drive behind the changes is to give individuals greater rights to find out who holds personal data on them, to have this data corrected or removed and to update existing Data Protection rules to deal with processing of data through the internet and cloud technologies.
The key points you need to understand about GDPR as a business are:-
- It will apply to all EU businesses, including all UK businesses from the 25th May 2018
- It will affect your business, since all businesses deal with data on some level, whether that is only data on its own staff or data for other companies/the general public
- GDPR gives greater rights for individuals to make requests relating to data held about them.
- GDPR brings in more stringent rules on reporting any data breaches and much tougher fines for failures to report breaches in a timely manner, up to either 10 million euros or 2 percent of a company’s global turnover.
- In the UK the Information Commissioner’s Office (ICO) is responsible for enforcing GDPR regulations and has produced a vast amount of related information and guidance on their website - https://ico.org.uk
Preparation for GDPR
The ICO has published the following 12 steps that companies should take to help them prepare for GDPR. We’ve added some of our own advice to each point to clarify how these affect SMEs and may require you to take specific actions. The full guidance document from the ICO is available here.
- Awareness – Ensure that all key parts of the business are aware of these regulations and the effect they will have. GDPR should be discussed at board level and changes required by the business should have buy-in from the management team. Your company many need to register with the ICO based on how it uses data – a self-assessment for registration is available here.
- Information you hold – You need to be aware of all personal data you hold in the business (e.g. HR records, client data, marketing data, contact details), how it was collected and if you’ve shared this data with other companies. You also need to understand what constitutes personal data, which can include IP addresses collected when users visit your website if this information is not anonymised.
- Communicating privacy information – Privacy notices (e.g. on your company website) should be updated to take into account GDPR. This should include details on who your company is, what their personal data will be used for and which lawful basis you intend to use to process their data.
- Individual’s rights – You need to ensure that you understand what rights individuals now have under GDPR and have procedures in place to cover potential requests that could come in relating to personal data you hold. For example, how to provide personal data held about an individual if they request it or how to delete such data if required.
- Subject Access Requests – You will need processes in place to capture any such requests as noted in point 4 and ensure they’re dealt with in a timely manner.
- Lawful basis for processing personal data – If you’re holding personal data on individuals then you should understand which lawful basis allows you to process this information and if necessary update any privacy notices relating to it. For more information on what the lawful bases are please see the ICO website.
- Consent to hold personal data – If you’re storing personal data under the lawful basis of consent you will need to determine how you record and manage consent going forward and if necessary refresh any existing consent for data you hold if it doesn’t meet GDPR standards.
- Children – If you’re storing personal data about children then you need to understand how to gain parent/guardian consent. If you’re collecting information about the general public you also need to consider how to record and verify individual’s ages.
- Data Breaches – You need to ensure that you have processes in place to record when any data breach occurs and that you understand when this needs to be reported to the ICO and the timescales involved. We've covered this in more detail in our article on Reporting Data Breaches.
- Data Protection by Design – GDPR makes “privacy by design” a legal requirement. This means that whenever you are storing or processing data you need to ensure that you take the necessary steps to ensure the data is managed correctly. Examples of this would be limiting who has access and only storing/using data on secured internal systems. For any high-risk data processing activities, a Data Protection Impact Assessment should be completed.
- Data Protection Officers (DPO) – A DPO may need to be assigned based on the size of your company and the amount of personal data it processes. For most SMEs this won’t be necessary as we've covered in an earlier article, however a staff member should be designated to handle any requests and other issues (see points 5 and 9) which relate to GDPR.
- International – If your company operates in multiple countries then you will need to determine who your lead data protection supervisory authority is. This will generally only apply if you have offices in, or process data relating to individuals based in another country. You will also need to be aware of any instances where you may carry personal data into other countries (e.g. on a phone or laptop), especially if the carrying device is not encrypted.
GDPR will affect all businesses and at the moment there is no clear idea of how strictly the regulations will be enforced from the 25th of May. However, if the majority of the above points have been addressed by a company then even in the event of a breach it is likely that the ICO will be more lenient, since a business has shown good faith in readying itself for GDPR.
Information Technology is an integral part of GPDR and EC2 IT can work with you to assist with ensuring your business is GDPR ready. Remember that it is the duty of the business itself to ensure that it is compliant with the new regulations and this should be driven from the top level of the business understanding GDPR’s importance.