Be Prepared. Don’t Risk a Fine
According to analysis, if GDPR was applied in 2016, UK business fines would have amounted to £69m rather than £880,500
As a small business layperson, the new GDPR was on my radar, but not at the forefront of my thinking – like many busy looking after existing clients and winning new ones.
However, that has now changed with the EU General Data Protection Regulation (GDPR) coming into force on 25th May, 2018.
From then if your business/organisation (including charities) is non-compliant you could face heavy fines.
I’ve tried to keep this as simple as possible so that even I understand the basic do’s and don’ts of the GDPR.
So, What is the EU GDPR?
The EU GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across EU member states, to protect and empower all EU citizens data privacy and to reshape the way organisations across the EU approach data privacy.
Penalties for non-compliance?
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Scary New Rules?
I am not a lawyer but have spent some time researching the impact of GDPR and my findings are below with embedded links for further information and clarification. If you are a small business and applied the existing Data Protection rules then with a little bit of data housekeeping you should be fine.
The key is to make it very clear that you have permission and purpose to process the data you hold.
As long as you ensure you have the correct documents completed which show you understand risk and have taken a reasonable amount of precaution to tackle the risk you will be very close to complying.
GDPR has been blown up to be this set of scary new rules but in reality, you don’t need to worry as long as you stick to the following tips –
- Make sure people know exactly what you are doing with their data. Don’t use big words to confuse or trick people as this is against the new rules.
- Break down every use you have for their data and why you are using it, letting them positively opt-in for the use you outline.
- (The best example of positive opt-in is ticking a box, on your website/email, to accept the outlined uses, not ticking to say you disagree.)
- You don’t have to worry about marketing to people as long you have gained their permission to do so and are marketing using only the information you have been given permission to hold.
- Contacting existing customers – most online shop platforms have a mandatory T&Cs box before a sale/service can be processed. This in the many I’ve glanced at authorises further contact. As a belt and braces approach, I’d advise to revalidate them*
GDPR and Data Training
For many small businesses, I’d recommend reading up on as much as possible and acting upon your findings. For larger enterprises, some form of formal training on the GDPR rules should be allowed for and if necessary appoint a Data Protection Officer.
Make sure everyone across your business have at least a basic understanding of data protection compliance.
If you train them and/or provide GDPR related training materials it will not only help with your own compliance but also enable your staff to understand what role they play in data protection compliance.
Practical GDPR steps to take
- Prepare your business for the GDPR by understanding what it means for your business and determine if you fall within the definition of a data processor. You need to decide whether your service or the service you provide processes data on behalf of your clients and remember that processing includes everything from storage to using personal data.
- Audit your business to understand what data, systems and policies you have in place that make you GDPR compliant and what gaps in compliance you have. You’ll need to determine what needs changing and put a plan of action in place to ensure you meet the compliance deadline, bearing in mind the regulatory duties the GDPR imposes on data processors.
- Even if you don’t need to document your processing activities (i.e. you don’t meet the requirements set out in the GDPR) it’s worthwhile documenting as much as possible even if it’s part of a general data protection policy for your business. Having documentation in place will help show you are taking data protection seriously which is a great positive for your customers but also can be helpful should you ever need to deal with the ICO.
- Prepare a GDPR statement which you can provide to your clients and potential clients. This statement should provide all the reasons with your service is GDPR compliant and how it allows the customer to be GDPR compliant. Having a statement ready will pre-empt any enquiries you may get from your customers.
- Consider what the best way is for you to implement the contractual requirements of the GDPR between yourselves and your customers. In practice this will depend on how you manage the contractual relationship now – if generally, your clients provide a contract for you to sign you can expect to receive updated contracts from them anytime from now until May next year; if the contractual relationship is via your terms of service then you need to consider how your T&Cs can be updated to take on board the contractual obligations now needed between you and your customers.
- Passwords must be kept as secure as possible – use a mix of capitals and lowercase letters, numbers and special characters. Make it at least 8 characters long.
- If your laptop/tablet gets compromised, every single account you have is now also compromised.
- It is important that if you have lots of passwords you use a secure encrypted service to keep them safe.
- This also applies to passwords kept in notebooks – offline. GDPR does not just apply to digital media, but any form of storage including paper. If you note passwords down in this form and your notebook is stolen, you have compromised all your accounts.
- All devices used by members of your organisation that are used in relation to the work you do must be properly secured. This includes mobile phones, USB’s, laptops and any other form of digital storage. The best way to do this is to encrypt the devices.
- Any record stored on paper should be stored in a safe location, being locked where appropriate.
Delete and Destroy
N.B. Delete doesn’t mean the data has gone! Just because you have deleted something from a memory stick does not mean it has gone because, in fact, it can remain on the device for a period of time until something replaces it. CDs and DVDs and in particular the hard drives on your computers need particular attention. I didn’t realise how difficult it is to erase date – seek technical support to learn how to safely discard data.
The same applies to paper – destroy it using professional shredding services, especially where data is highly sensitive.
What counts as personal data?
Personal data is any information held about a person that can be used to identify them.
Any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts/comments on websites, medical information, or a computer IP address.
It is important that you give people a clear and concise reason for storing their data and only using the data in the way you outline to them and seeking further confirmation for other uses.
If you don’t need their data, don’t store it! – Always ask yourself “what is the need for storing this data and do I have permission?” Then you can’t go far wrong.
Always ensure you can easily remove any data if asked or if it has been held longer than you outlined to the owner of the data – emails hold a lot of personal information and it is important you can look up and delete that email address as easy as any other information you store on people.
If someone asks you to remove their email address, then their email address must be removed within reason, to the best of your ability, from all locations it is stored, this means – but not limited to:
- Your mailing lists
- Your database
- Your CRM
- Your email client address book
- Your mobile phone email address book
- Any website/file backups that you have
- Any other location it could be stored, whether digitally or on paper.
*Revalidate your mailing list?
If like me you may have been receiving emails from companies various asking if I would like to continue receiving emails from them after 1st May 2018 or not. There are two clear options given, a Yes and No. If I select no, then they must remove all the data they hold about me and not contact me again. By ticking yes I’m giving explicit permission for them to continue emailing me.
If you take this simple approach, the end result will give you an opted-in list. Yes you may or probably will lose some, but hey ho what’s the point of having people on your list who don’t want to hear from you. If you did mail them again without revalidating your list you may be in breach of the GDPR, and risk a fine.
Notification of a personal data breach to the supervisory authority
- In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
A full list of EU data protection supervisory authorities available at the European Commission website, with contact info.
- Make sure your website is secure
- Enforce strong passwords for all users
- Make sure the software that runs your website is kept up-to-date
- If you don’t have a SSL certificate, get one. On the websites, I develop I install a Let’s Encrypt SSL Certificate. If you don’t have one you will be penalised by Google and flagged as Not Secure. Obviously, this will have an impact on your business.
I’ll be publishing a post in more detail on how website owners can comply with the new regulation – I’m waiting for details from the web hosting company I use, as they are in the data loop.
Be Safe. Be Secure