The introduction of the GDPR has been described as the most important change in data privacy regulation for 20 years. So, how could it affect your small business?
What is the GDPR?
The EU General Data Protection Regulation – the GDPR – has been created to replace Directive 95/46/EC, which was adopted in 1995.
The aim is to better protect EU citizens from privacy and data breaches, because the world has become significantly more data-driven in the past 20 years. And, crucially, the EU wants people to have more control over how their personal data is used by others.
According to the EU GDPR website, the GDPR will “harmonise data privacy laws across Europe, protect and empower all EU citizens and reshape the way organisations approach data privacy.”
The Information Commissioner’s Office (ICO) is the independent authority in the UK that “upholds information rights in the public interest”. It will regulate the GDPR and although it believes organisations will need to be more accountable and transparent, it says many of the GDPR’s main concepts and principles are “much the same as those in the current Data Protection Act  (DPA)”.
That means, if your business already complies with the DPA, you’re unlikely to have to make radical changes to become GDPR compliant. However, as the ICO warns: “There are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
According to Steve Wood, ICO Deputy Commissioner (Policy), the GDPR is an “is an evolution in data protection, not a revolution”. He adds: “Many of the fundamentals remain the same. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and [the] GDPR seeks only to build on those principles.” But, he stresses: “That doesn’t mean there’s any room for complacency”.
Although the EU adopted the GDPR on 27 April 2016, it won’t be enforced until 25 May 2018, which gives businesses time to become GDPR compliant. Those that do not comply with the GDPR could face very heavy fines. You should find out now whether the GDPR will affect your business, and if so – take steps to become compliant.
Will my business be affected by the GDPR?
Under the GDPR, “personal data” is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify [them].” This could be:
a photograph of them
their email or postal address
bank account details
computer IP address
The GDPR applies if the data controller (i.e. the business or organisation that collects data) or the data processor (ie the business or organisation that processes data for the controller) or the data subject (person to whom the data refers) is based in the EU.
Even if a controller or processor is based outside of the EU, the GDPR will still apply if they’re collecting or processing data relating to people who live in the EU.
Under the GDPR, controllers must ensure that personal data is processed lawfully, transparently and for a specific purpose, after which – if the data is no longer required – it must be deleted.
The GDPR will apply to all business that store and process the personal data of data subjects living in the EU. So, UK companies collecting or processing personal data must comply with the GDPR, because the UK will not leave the EU until after May 2018. And according to the ICO: “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
Even after the UK leaves the EU, UK firms collecting or processing the personal data of people living in the EU will have to comply with the GDPR.
If your business does not comply with the GDPR, it could be hit with a fine of up to 4% of its turnover, while fines of up to €20m will be payable for more serious data breaches.
The size of a fine will be determined by a range of factors including:
• Whether the infringement was intentional or not. • Whether adequate steps were taken to mitigate risk. • Type of personal data. • How many people were affected. • How much damage they suffered. • How long the infringement lasted. • How the ICO found out about the infringement.
The Information Commissioner’s Office (ICO) can impose a penalty on a data controller (which could be a small business) of up to £500,000. You can appeal, either the penalty or the amount. Fines are paid to the Treasury, not the ICO.
Steve Wood, ICO Deputy Commissioner for Policy, warns of other damage that your business can suffer if it fails to manage customer data properly. “Failing to get data protection right is likely to damage your reputation, your customer relationships and, ultimately, your finances. That goes way beyond increased fines – think brand damage and a subsequent loss of custom,” he explains.
They can be used to identify them, so the GDPR applies. If you market your business by email, you must comply with GDPR requirements. When collecting customer email addresses, not only will you need their consent, but you’ll also need to explain how the data will be used. You cannot have a ‘pre-ticked’ opt-in box on your website or use email to promote products/services beyond the reason the customer initially gave their consent.
As the data controller, under the GDPR, you must ensure that your contracts with processors comply with the GDPR, whether they’re based in the EU or not. The GDPR also applies to cloud-based data storage systems if the controller, processor or data subjects are EU-based. In any case, as an EU-based business, if you collect personal data, the GDPR applies.
You’re unlikely to have to refresh existing consents if they meet DPA requirements. To be sure, check how consent was obtained. If consents do not meet the GDPR standard, you’ll need to seek new ones that are. Consent should be freely given, specific, informed and unambiguous.
Under the GDPR, a customer has the right to know what information you hold about them and how it’s processed. They can ask you to correct it if it’s inaccurate. And they can ask you to delete it if is no longer required for the purpose for which consent was given.
The GDPR applies to automated personal data and manual filing systems where “personal data is accessible according to specific criteria”. According to the ICO: “This could include chronologically ordered sets of manual records containing personal data”. So, the GDPR can apply, even if you only store customer addresses in a paper-based filing system.
If you used an online campaign to request email addresses for those wanting to receive your newsletter, but no longer use them for this purpose, delete them. If someone hacked into your system and used the data for ‘phishing’ [ie fraudulent emails that seek to get people to revel their passwords or credit card details], you could be severely fined.
The ICO recognises that GDPR compliance can be a challenge for small businesses. The Information Commissioner, Elizabeth Denham, says: “All organisations have to get ready for the new data protection rules, but we recognise that the 5.4 million small businesses in the UK face particular challenges.
“[They] want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.”
The organisation has launched a new phone line service will offer additional, personal advice to small businesses. All you need do is call 0303 123 1113 and select option four to speak to support staff. According to the ICO: “As well as advice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.”