GDPR - the General Data Protection Regulation, comes into effect on 25th May and is the biggest shake up of data protection laws in the UK for 20 years. It’s been a long time coming, and that’s because the way businesses use data has changed massively since the mid-90s, and the existing data protection legislation (Data Protection Act 1998), is simply no longer fit for purpose.
What is GDPR?GDPR is a wide-ranging regulation designed to protect the privacy of individuals in the European Union (EU) and control over how businesses handle personal data, including how it is collected, stored and used. So as an individual, if you shop online, allow cookies on websites, subscribe to newsletters, or otherwise share your personal data, GDPR will play a role in how it is used. It’s not just big businesses that have to worry about GDPR. Even if you are just a one-man operation, if your business holds any personal data, such as on employees or clients, then GDPR applies to you. There is a huge amount of information online around GDPR, so we’ve tried to digest this into the fundamentals of the regulation, followed by 7 simple, practical steps you, as a business owner, can take to comply.
Key areas of GDPRGDPR broadly covers the following areas: Personal data - This includes customers, employees, suppliers or anyone else you collect personal data from. Names, contact details, bank account and credit card information are all examples of personal data. Collecting personal data - You can only collect personal data if you have a legal reason to, such as for a contract for services. You must make it clear what the personal data will be used for, and not use it for anything else. The right to access - Individuals can ask a business what data is being held on them. This isn’t new, but with GDPR, businesses must respond within one month and can’t charge a fee. The right to be forgotten - Individuals can ask a company to delete their personal data form their records, unless the business has a legal reason for holding it, for example tax or compliance purposes. Data portability - Individuals can request a digital copy of their personal data, (usually a CSV file), for example if they are switching between service providers. Data breaches - Any breach of personal data must be reported to the Information Commissioner’s Office (ICO) You must do this within 72 hours of becoming aware of the breach, where feasible.
GDPR - 7 practical steps for small businessesIt might seem scary, but what GDPR really comes down to is being clear and ethical with people’s personal information. Here are 7 practical steps you can take as a small business owner:
- Know about it! Read up on GDPR yourself, and make sure the main people in your business also know how the law is changing.
- Review what information you hold. Think about what personal data your business holds, where you got it and what you do with it. You should then identify and document your legal basis for doing so.
- Check you can meet your obligations. Individuals have specific rights under GDPR - including their rights to access and erase their data and to ask for it in a digitally portable format. Make sure you have procedures in place to cover all these rights.
- Get consent. A vital way to protect your business under GDPR is to ask for (and document) affirmative consent from individuals on whom you hold personal information. Under GDPR it is no longer acceptable to ask people to opt out, instead they must choose to opt in.
- Know what to do if there is a data breach. You business needs to have a policy and procedure in place to detect, report and investigate any personal data breaches. All breaches must be reported to the ICO.
- Assign responsibility. Make someone in your business responsible for looking after data protection and privacy. You may need to appoint a Data Protection Officer. Check out the ICO guidance on this for further info.