How to stop the GDPR making a big impact on your small business
With SMEs being warned to get their data protection policies in place sooner rather than later to avoid hefty fines from the Information Commissioner’s Office (ICO), now's the time make sure your small business is compliant with the General Data Protection Regulations (GDPR) coming into force in May 2018.
Under the GDPR, if you hold and process any information about clients, suppliers and/or employees, you are legally obliged to protect that information using several different IT processes and systems; some of which will be new and unfamiliar to small businesses. If you don't, you could find yourself in trouble with the ICO, and data breaches are going to cost you a lot of money.
Here are 10 steps you can take straight away to prepare for the GDPR, and stop it from having a massive impact on your small business…
1. Make yourself aware
Key decision makers in your small business need to be aware how, where and when regulations are changing. It’s critical to understand exactly what the impact will be for your business and identify the areas that could cause you compliance issues.
A good place to start is to create a gap analysis or look at your company’s risk register and make a list of the systems and processes you need to change. It's also worth noting that implementation of the GDPR might have big implications for your resources, especially if you have limited time and people to help you process the information. But compliance will be especially tricky if you leave it until the last moment. So start now!
2. Consider the information you hold
Make a note of what personal data you currently retain, where it comes from, and who you are sharing these details with. It might be necessary to organise an information audit across your small business in its entirety, or in specific business areas.
The GDPR is going to require you to maintain records of processing activities, and you’ll need the right IT support in place. For example, if you hold incorrect personal information and have shared it with another company, under the new rules you must tell that company about its inaccuracy for their own records. This won’t be possible unless you keep a good record of the information you hold.
The regulations will require you to have clear documents of what data you hold, where it comes from, and who you share it with. Having this will also enable you to also comply with the accountability principle of the GDPR, which insists businesses are able to show how they comply with the data protection principles.
3. Review current privacy policies
As a company, you need to look at your current privacy notices and implement a plan to put any key changes in place before the implementation of the GDPR.
Collecting personal data currently requires you to give people your identity and tell them how you choose to use their information. This is usually completed through supplying a privacy notice. But under the GDPR you will need to do more. For example, when you get new personal data you will have to explain the lawful basis of the collection and processing of the data, how long you will keep the data for, and that individuals can complain to the ICO if they believe there is an issue with how you are using or handling their data. In addition, the GDPR insists that you give this information out in easy to understand, concise language.
4. Check individuals' rights procedures
As a company, you will need to ensure that you cover all the rights that individuals have, from how you delete their data to how you provide data electronically. The GDPR has the following individuals’ rights:
the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
the right to data portability
the right to object
the right not to be subject to automated decision-making including profiling.
Overall, the rights covered under the current Data Protection Act (DPA) are the same as those under the GDPR, but some rights have been enhanced. If you are set up correctly right now, then your transition should be relatively seamless. If you’re not, now is the time to check the procedures you have in place, and how they need to be updated.
5. Update subject access request procedures
Your current procedures for subject access requests are likely to need updating, so you’ll need to look at how you handle these requests with respect to the new rules. When the GDPR comes into force you will not be able to charge for requests (in most cases), you’ll have a month to comply, and you’ll be able to refuse requests you consider to be unfounded or excessive, but you will need to tell the individual requesting access exactly why and let them know that they can complain to the supervisory authority.
6. Identify the lawful basis for processing personal data
Have you considered your lawful basis for processing personal data? If not you need to do it now, because under the GDPR you will need to document it and organise your privacy notice to explain it clearly. The new regulations will differ from the current DPA because it will state that some individuals’ rights will be modified depending on your lawful basis for processing their personal data.
A good example of this is that individuals will have more of a right to have data deleted when you use consent as a lawful basis for processing. You’ll also have to explain your lawful basis for processing personal data in your company privacy notice, and whenever you get a subject access request.
7. Review how you gain consent
Consent is a very important part of the GDPR, and something that many small businesses that work online will need to refresh or update to ensure that they are complying in May 2018.
Consent must be freely and willingly given, it must also be specific, unambiguous and informed. It is critical that there is a positive opt-in process, and that it is not just inferred from pre-ticked boxes, inactivity, and silence. Your small business will also need to ensure that withdrawing consent is simple and quick. While you will not be required to automatically refresh existing DPA consents before the GDPR, if your company relies on people’s consent to process their data, then you should meet the GDPR standard on being clear, prominent, opt-in, properly recorded and easily withdrawn.
If you operate your business online, and collect clients’ data through websites or lead pages, your website design and development will need to be tailored to the new rules.
8. Check your data breach procedures
While some businesses are already required to alert the ICO of personal data breaches, the GDPR will take this one step further. From May 2018, all companies will need to report breaches to the ICO, and in certain cases, to individuals. Because of this, you need to make sure you have the right procedures in place to spot, report, and investigate a personal data breach. It would also make good business sense to ensure that you have the latest IT security systems and software in place, with a good IT support company constantly monitoring and maintaining these.
In light of a breach, you will need to notify the ICO when it is possible that it is a risk to the rights and freedoms of individuals. For example, if the breach could cause discrimination, financial loss, loss of confidentiality, or damage to reputation.
Evaluate the types of personal data you hold on people, and document exactly when, if you suffer a cyber attack, you would need to tell the ICO or individuals that have been affected. Failure to report will result in a fine, plus a fine for the breach itself, making cyber security breaches a very costly reality.
9. Consider a privacy by design approach
Under the GDPR a privacy by design approach will become an express legal requirement, and will be called ‘data protection by design and by default.’ Privacy Impact Assessments will also be mandatory in some circumstances and will be called Data Protection Impact Assessments (DPIAs).
A DPIA will be required at times when data processing is at high risk to individuals. Examples of such situations include; where new tech is being used, profiling operations which might significantly affect individuals, or where there is processing on a large scale in special categories of data.
You’ll need to consult the ICO in situations where the data processing is a high risk which you are unable to mitigate.
10. Appointing a Data Protection Officer
Depending on your business, you may formally be required to designate a Data Protection Officer. This person would need to take responsibility for the data protection compliance of your company.
If you are a public authority, a business the carries out regular or systematic monitoring of individuals on a large scale, or an organisation that carries out large scale processing of special categories of data (such as health records) then you will formally be required to have a Data Protection Officer (DPO). Schools or health-based organisations will have even stricter rules applied, with appointed DPOs need years of experience in that particular business or organisation. Overall, the DPO will sit within a business’s structure and will need the proper knowledge, support and authority to do their role properly.
Worried about the GDPR and how it will affect your small business and IT systems or processes? Contact us today to have a chat with our IT support experts on how we can help.