GDPR and your business
- Helen Osman
- May 24, 2018
- 7 min read
The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018, designed to enable individuals to better control their personal data. This legislation must be adopted by every business and other organisation in the country, large or small, even sole traders.
Almost certainly it will apply to your business/organisation. You may even have missed the deadline, but that doesn’t mean that you can ignore what is one of the most important pieces of legislation impacting on businesses for decades.
Does it apply to you? Take the test
Does your company/organisation hold any personally identifiable information (PII)?
This is defined as any information that can be used to identify a person. It includes names, addresses, email, gender, DOB, faces, IP address, website cookies, purchases, downloads, payment transactions, donations, education, financial information.
If you hold any of the above information, you must show that you understand the GDPR obligations, which relate to your employees, your contractors and suppliers, as well as customers/clients. In the case of your customers/contacts etc, you must ensure that you have communicated to individuals that they are on your mailing list and that they have agreed to remain in contact with you.
It is the law, the ICO (Information Commissioner's Office) can carry out an audit at any time. Companies and other organisations may be selected randomly. If you decide to do nothing, you could be fined 2% of your turnover for non-compliance. It could also destroy trust in your business
Under GDPR individuals have the right to compensation if they suffer loss or damage as a result of actions or inactions taken by your organisation.
Don't panic!
The principle behind GDPR is that you only store the minimal amount of information and for the shortest time possible and that it is stored securely.
Personal data must be acquired lawfully, fairly and transparently
It must only be held for explicit and legitimate purposes
The data held on individuals should be limited to what is relevant and necessary for the purpose
Data should be up-to-date and be accurate
Data should be kept secure. GDPR covers data held electronically and in paper files. No more lever arch files on shelves; from now on you have a legal liability for all this information and failure to take these measures could result in a heavy fine.
Action – one step at a time
You can have all this sorted using this jargon free guide as a starting point and simple templates, created by GDPR experts, including The DPO Centre (thanks to the North London Chamber of Commerce) and from the ICO website. https://ico.org.uk
Use these templates to create your own GDPR compliant documents. Copy across each section into a word document, insert your company name in the relevant sections and delete the parts that don't apply to your business/organisation.
If you do it this way you will start to understand GDPR and the implications for your business or organisation. one step at a time.
This guide is intended as an introduction to GDPR, to help you to work out what you need to do to protect your business. It is always advisable to have your GDPR documents checked over by your solicitor.
The DPO https://www.dpocentre.com is a specialist consultancy helping companies navigate through this minefield. There are others; if in doubt seek expert advice.
.
Impact Assessment
Begin by listing all the information that you and companies you work with hold on your staff, contractors, suppliers and customers, including potential customers. There are various categories of data, defined as personal, sensitive and special category, shown in the three columns on the slide above. Most organisations are prohibited from holding special category data, without explicit reasons for doing so and informed consent.
Other key questions:
Who has access to this data?
Is it up to date, correct and complete?
How is it stored, and is this data stored safely, in password controlled/encrypted files and in locked filing cabinets etc?
How long do you retain personal data and how is it deleted when no longer required?
The legislation has two categories of data users:
• Data controller: the person or persons who are responsible for the PII data held within an organisation
• Data processor: any person or company that 'process' your PII data, i.e. have access to it. This could include a marketing agency, payroll company, recruitment company, IT suppliers, security company.
Privacy Policy
The most important document to create is your organisation's privacy policy, to demonstrate that you have a privacy policy in place and that you have taken steps to comply with the law. This explains what personal information you hold, how it is used (your processing activities), how data is stored and for how long.
Your privacy policy should be published on your website, along with your cookie policies.
Here is a link to a General Privacy Policy template, which you can adapt for your business. Copy across each section into your own word document and change the sections highlighted in red to your company/organisation name, deleting any which are not relevant.
GENERAL PRIVACY POLICY TEMPLATE
Staff Privacy Policies
If you employ people your Employee Privacy Policy needs to be provide to and signed by all employees and written into employment contracts.
EMPLOYEE PRIVACY POLICY TEMPLATE
Your staff must be trained in your Data Protection Policy and their obligations to protect the personal data held by your company. Their compliance must regularly reviewed. Larger organisations must have a Data Protection Officer; smaller companies must assign this role to a named person in the organisation.
INTERNAL DATA PROTECTION POLICY TEMPLATE
Third Party Contractors – Your Data Processors
Do you share any personal information with a third party, such as a payroll bureau, a web developer, a marketing services company, your accountant, solicitor or a cloud service provider?
If yes, you need to put a written agreement in place, called a Data Processor Addendum.
You need to stop sending emails with attachments containing PII data; instead use file transfer apps like Dropbox and manage who has access to these files.
DATA PROCESSOR ADDENDUM TEMPLATE
Electronic marketing – Consent to contact
The Privacy & Electronic Communications Regulations (PECR) are also being updated under GDPR.
By now you are likely to be sick of re-subscribing, ignoring or responding to emails from companies and other organisations who have you on their mailing lists and want to stay in touch with you. If you are developed mailing lists delivered by email or text for your organisation you must comply with PECR.
The rules for communicating with consumers are more strict than marketing to businesses. From 25/5/18 companies & other organisations can no longer send unsolicited marketing messages to consumers. Consent should be sought, as you are not allowed to rely on pre-GDPR consent.
Most organisations are required to request a positive opt-in. However, many organisations are citing a "Legitimate Interest" for staying in touch, which is likely to lead to less erosion of the database.
If your company and organisation can cite 'legitimate interest', then you are not required to rely on individuals opting in. However, there must still be a clear communication of your PECR policy with the user, giving them the opportunity to opt out, with a link to your privacy policy and cookie policy if applicable.
Here is the Information Commissioner's Office (ICO) definition of legitimate interest:
• That there is a clear benefit to the individual in receiving the communication
• There is a limited impact on the privacy of the individual
• The individual should reasonably expect you to use their data in this way
• That you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Here is an example of an email which covers all the key issues:
"As you may be aware, the General Data Protection Regulation (GDPR) will come into effect on Friday 25th May 2018, which will harmonise existing data protection legislation within the European Union. This means companies have new obligations around the storing and processing of the personal data of their customers/supporters.
Our company has always taken our data protection responsibilities very seriously and we will continue to do so. We have implemented proper measures to ensure we are compliant with GDPR and your data will be treated with the highest standards, as laid out in the regulation. Please do have a look at our updated Cookie Policy [insert link] and Privacy Policy [insert link], which sets out the information we collect and why we collect it. If you have any questions or concerns, please get in touch, email. You can, of course change your email preferences at any time, (link to opt out form) or provide an email
Thank you for your continued support"
Finally
This legislation was designed to ensure that big companies don't continue to abuse/misuse personal data. It has even been described by one GDPR expert as "corporate law gone wrong", because of the way that small companies and not for profit organisations are also required to comply.
However, that doesn't mean you can ignore it. Ideally all your GDPR policy documents should be checked over by a solicitor.
We may all make mistakes on how we interpret this new legislation; the most important thing for you to do is to demonstrate that you have undertaken your best efforts in complying with GDPR.
There are further documents that you could construct to cover your legal obligations, which can be downloaded from this website.
https://www.dpocentre.com/gdpr-policy-toolkit/
There is also a dedicated GDPR advice line to assist small businesses prepare: call 0303 123 1113. Select option 4 to be diverted to staff who can offer advice and support
The Information Commissioner's Office is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Here is a link to their GDPR guidelines
-----------------------------------------------------------------------------------------------------
Care is taken to ensure this information is accurate. Please use wisely, as your GDPR starting point and consult your own experts for legal advice.