25th May 2019 marks 1 year since the deadline for compliance of the General Data Protection Regulations (GDPR) which was formally made a part of UK law under the Data Protection Act 2018. The aim of the GDPR is two-fold:
- To strengthen data protection policy by giving EU citizens more control over their personal data and what the data is used for.
- To modernise and simplify the data regulations for businesses that operate in the EU.
The GDPR does recognize that small businesses are different to larger enterprises. Everybody is bound by the Data Protection Act, however, article 30 of the GDPR states that businesses with less than 250 employees don’t have to keep the same records as larger enterprises – although there are a few stipulations which businesses probably should follow regardless of their size.
The first step to making sure you’re compliant is to register as a data controller with the ICO.
Collecting and storing personal data
The ICO defines personal data as information relating to natural persons who can be identified or who are identifiable directly from the information in question or who can be indirectly identified in combination with other information.
This can cover everything from names, addresses, contact information, bank details, credit card information and even medical information.
Any information you hold on EU citizens, whether it’s information for HR purposes, customer data or suppliers, is affected by the GDPR. You’ll need to ensure that all the personal data you’re collecting is stored and processed for a legitimate purpose.
You can only collect personal data if you have a reason to do so and the data collected can only be used for that purpose. So, for example, if you have information stored for operational purposes, you’ll have to reach out to those people to gain further consent if you want to use their information for marketing purposes or something other than the purpose for which it was originally collected.
Individuals rights under the GDPR
Individuals have the right to ask a business what information is stored about them. This isn’t by large anything new, but businesses now have 30 days (as opposed to 40 days) to process and respond to a Subject Access Request and cannot charge an individual for the information.
Individuals also have the right to ask a business to delete all personal data stored about them, unless the business needs it for legitimate legal reasons – like tax. Individuals can also ask for a digital copy od their information to use as they wish. This can include changing providers or transitioning to a new service.
Check your products and services
To make sure you’re GDPR compliant, the first thing you’ll have to do is look at which of your products and services collect personal data. You’ll then need to make sure that you have a legitimate legal reason to collect that data. As a data controller and processor, you’ll need to ensure that you can respond to any Subject Access Requests that might come your way.
For example, are the systems you use to store information properly secure? How many systems do you store information on? How much time would it take for you to locate and collate the information if you ever received a Subject Access Request? Do you need to provide training to staff members about how to run searches and respond to a Subject Access Request?
You might not ever receive one, particularly if you only have a handful of customers or clients – but just having a process can put you ahead of the game massively.
Review notices and contracts
One element of the GDPR that probably applies to most businesses, regardless of their size, is the need to update your internal and external notices for GDPR. You’ll need to find somewhere suitable to display the information so that both employees and customers understand your businesses stance on GDPR and that you’re compliant.
You’ll also need to make sure that all your customer contacts are GDPR compliant. The ICO provides some very thorough guidelines on what should be included in a GDPR compliant contract. You must include the subject matter and duration of the processing, as well as the type of information you collect and how it will be used.
Worried about being compliant? All our formation packages come with Legal Plan – our subscription-based legal service for small businesses. So, whether you need to speak to somebody about compliance, or another legal issue you can talk to a qualified professional at an affordable price. Find out more about Legal Plan and our formation products, here.