The General Data Protection Regulation (GDPR) is coming into effect on 25th May 2018, but what does this mean for small businesses?
It might be the perception to some small businesses that the GDPR may not effect them due to their size and it only effect businesses of 250 users or more. Unfortunately, this is not the case as GDPR will effect every business that deals with, and stores Personal Identifiable Information or PII, this even includes charities that are not for profit.
Understanding the type of data that is affected by GDPR is one thing, but analysing your data, where it is held and who is responsible is another issue together entirely.
In a perfect world all data would be stored and processed securely, but as we all not this is not always the case. There are many businesses that don’t have their paperwork stored electronically, or if it is sometimes its not secured correctly.
Firstly, does this effect business information?
GDPR only effects businesses that hold personal information. This does not include information about an individual that relates to a business for example their business email address or phone number.
This doesn’t necessarily mean that if your business only deals with business that you won’t be effected. If you have employees you will more than likely hold information about them including their personal address, personal phone and also payroll information.
What can you do to get a handle on your data?
To ensure that your data is managed correctly, the process should begin with discovering where all of your data is stored, whether this is on a central network, in the cloud, or even on mobile devices. You should consider all processes involved that require you to collect, store, use and dispose of personal data.
Once you have reviewed this information you will be able to better monitor your compliance and processes involved on how you deal with your data.
This in turn helps you should your businesses receive a Subject Access Request from an individual. An individual can request at any time what information you hold on them. This would include details that will personally identify them such as address, phone number etc as well as emails that reference them.
Consider how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach.
With a clear view of the risks you can begin to choose the security measures that are appropriate for your needs. The next step is to begin putting them in place.
There is no single product that will provide complete guarantee of security for your business. The recommended approach however is to have a set of solutions or security controls that complement each other but will require ongoing support to ensure that the level of security is appropriate.
In Marks review on page 5 he discusses areas in which businesses should look to adopt solutions to help ensure compliancy with GDPR.
What can businesses do to help ensure an appropriate level of security?
The UK Government has a scheme called Cyber Essentials which describes key controls for keeping information secure that could prevent “around 80% of cyber attacks”.
The Cyber Essentials scheme provides businesses small and large with clarity on good basic cyber security practice. By focusing on basic cyber hygiene, your business will be better protected from the most common cyber threats.
Whilst your business will require more than just a Cyber Essentials certification to comply with GDPR, it is a great first step to provide evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber attacks.
Determine if you need a Data Protection Officer?
The basis on whether you require a Data Protection Office (DPO) is on what data you collect.
If your central purpose requires “regular and systematic monitoring of data subjects on a large scale” then you must appoint a data protection officer.
You must also appoint one if you collect records of criminal convictions, or ethnicity, religious or philosophical beliefs, political opinions, trade union membership details, health, sex life, or sexual orientation data on a large scale.
The nature of the DPO role is to inform and advise on data collection practices and monitor compliance, as well as acting as the point of contact with the Information Commissioners Office or ICO. If you are unsure you should contact the ICO directly and they will be able to advise.
What is your role?
You will need to understand whether your business acts as a data controller or processor.
– Data controllers are organisations/individuals who collect personal data and decide how and why it is used.
– Data processors process information on behalf of data controllers.
In real terms, this means that you and your business are data controllers and data processors are external companies who use data that you control. The scope is fairly wide; it could be solicitors, accountants, IT services or even postal services
if you’re sending products or marketing material to your customers.
Businesses with external suppliers processing data.
If your business works with external suppliers to process data or they have access to your data then as a data controller you are required to write up a contract to provide the data processor with instructions saying what the processor can or cannot do with the data, with the contract requiring the processor to only act on its instructions.
When collecting data, data controllers have an obligation to use plain language and to communicate clearly why the data is being collected.
Businesses must respect the ‘the right to be forgotten’. This is a recent concept which allows people to request that inaccurate, inadequate, irrelevant or excessive information about them be removed.
If an individual asks that their data be removed, you must comply with the request, unless you have a right to refuse to comply, such as needing the data for a legal obligation.
Subject Access Requests
Under the GDPR individuals have the right to obtain the information you hold about them. Previously under the old regulations you could charge a nominal fee to provide this data to help with the administration costs. However, the GDPR now states that you have to provide this information free of charge.
With this in mind, it is vital that as a business you know where your data is held in order to allow them to collate the information in an orderly fashion. This ensures that you comply to the new rules that the information is provided within a month of receiving the request.
Having said that if you feel the requests are manifestly unfound or excessive then you can charge a reasonable fee taking into account the administration costs or you could even refuse to respond if you provide a legitimate reason to. You may think that providing the contact details of the individual is all that you need to provide, however this is not the case. The information you provide the individual should include anything that relates to the individual that allows the individual to be identified from the information (either on its own or in conjunction with other information likely to come into the businesses possession). In most cases an individual’s name together with some other information will be sufficient to identify them.
This information needs to be sent in electronic format to the individual, so its worthwhile taking into account here that this email needs to be protected during its transition to prevent the data from being leaked. Take a look at Page 10 where we discuss a solution that could assist with this.
Policies and Procedures
The GDPR introduces a accountability principle that requires businesses to be responsible for and be able to demonstrate compliance with the principles of GDPR.
This is probably one of the most labour intensive parts to the new regulations, but one of the most important.
According to the ICO, if you can demonstrate that you have tried your best to put the policies and procedures in place to prevent data loss and notify the ICO of a data breach then it is less likely that you will receive a fine.
In order to show that you comply with the GDPR, you will likely need to produce and maintain a wide range of documentation. This will not only help you meet the explicit and implicit requirements for specific records (especially proving you have obtained consent from data subjects), but will also ensure you have evidence to support your claims should the ICO have any cause to investigate.
Which documentation is especially important?
• Statements of the information you collect and process, and the purpose for processing (Article 13 of the GDPR).
• Records of consent from data subjects or relevant holder of parental responsibility (Articles 7 and 8 of the GDPR).
• Records of processing activities under your responsibility(Article 30 of the GDPR).
• Documented processes for protecting personal data, such as an information security policy, cryptography policy and procedures, etc.
If you suffer a data breach your business needs to have a plan in place as to how they deal with the breach and be aware of the rules as to who needs to be notified. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. This has to be assessed on a case by case basis.
A notifiable breach has to be reported to the ICO within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the business responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine.
In light of this you must ensure that you document how your business will deal with a breach and then ensure that all your staff are aware of this procedure.
If you require any help or guidance with reference to GDPR we would advise that you take a look at the ICO website which provides the ICO’s interpretation of the GDPR articles.