With the clock ticking on the introduction of the GDPR (General Data Protection Regulations) in May of this year, we know from speaking to many companies that there are a range of reactions from confusion, to burying heads in the sand! Check our quick guide to the top 10 questions a lot of businesses have about the GDPR.
1) We are only a small business – the GDPR doesn’t apply to us right ?
WRONG ! – The GDPR applies to ALL companies, WORLDWIDE, regardless of size that process any personal data from EU Citizens. In this respect it is the first global data protection law.
2) We already delete phone numbers and email addresses old redundant contacts, what else do we need to do?
The GDPR has broadened the scope of what constitutes ‘personal’ data. This means that companies must carry out an audit to check where they may be storing this information in their IT systems. The GDPR considers anything that can be used to identify an individual as personal data, including information about health, age, cultural background, economic or social class, or even genetic. Most information will now be deemed ‘personal’.
3) We have a tick box for people to opt out of receiving marketing information from us – is that enough?
Not nearly enough under the GDPR. From may you will need explicit consent to collect personal data, along with a clear statement detailing how you will use the information, and how long you will keep it for. You also need consent to be able to process an individuals data, for example, a recruitment agency would need consent to be able to use an individuals mobile phone number or email address, to be able to contact them and offer them work.
4) We employ less than 10 people, do we still need to appoint a Data Protection Officer (DPO)?
Quite possibly! There have been regulations for some time in Germany for example, that requires any company larger than 10 people to appoint a DPO. The GDPR however makes it dependant on the types of activities your company is involved in. The definition is any organisation whose core activities require ‘regular and systematic monitoring of data subjects on a large scale.’ Because of technology available today, many companies, even very small ones, will match this criteria.
Any business that needs to process personal information for any reason, will probably fall within scope of needing to appoint a DPO.
5) Surely this only matters if there is a breach?
Many companies wrongly assume that they only need to worry when there is a breach. The GDPR introduces mandatory risk assessments that any company dealing with personal data, needs to carry out. These are know as ‘Privacy Impact Assessments’, and need to be carried out for any existing or new projects a business becomes involved in.
It is important to remember that although a breach itself is a serious event, it is now extremely important to be able to demonstrate as a business that you made every reasonable attempt to comply with the regulations. If you do have a breach, you can expect a more thorough examination of your processes from the Information Commissioner.
6) What actually happens if there is a breach?
When it becomes apparent that there has been a breach, your company has 72 hours to report it to the local data protection authority. You should have processes in place that can detect a breach in the first place, as well as procedures of what to do when a breach occurs.
Prevention may involve some re-education amongst your workforce, and changes to current operating practices. For example, how many companies do you know who regularly send out blanket SMS messages or emails to customers? How many companies take lists of people off site for any number of valid reasons? All of these practices will require additional thought and care post GDPR.
7) We have a database of old customers that we’ve had for years, surely we can keep that?
One of the GDPRs strictest principles, is that organisations do not keep information for longer than they need it for. For example, a customer that buys a widget from you, will have provided you with personal information for the purpose of that transaction, not for you to then contact them years afterwards for completely unrelated products or services. The GDPR enforces data minimalization.
An employee, by contrast, will have provided you with contact information, and taxation information about themselves. If they stop working for you, it would be reasonable to assume that you no longer need to keep their contact information such as a mobile phone number or email address, but you would need to keep their National Insurance number for longer due to statutory requirements.
People have the right to erasure of personal information, either by request, or by automatic deletion, whichever is sooner.
8) We are not a ‘data controller’, are we exempt?
No, you are not. Before the GDPR, only data controllers were considered responsible for data processing activities. The GDPR extends to all organisations that come into touch with personal data. If your company provides services to a data controller, and it involves coming into contact with personal data, you will need to comply with the rules.
9) What do I need to know about privacy?
Firstly, you should have a clear privacy policy that is within the guidelines of GDPR. If you are operating a company website, you should display your privacy policy on it, and make every attempt to protect peoples personal data if it is a site that people can contact you through via a form or similar mechanism. You should make your website SSL compliant by installing an SSL certificate.
Software and databases traditionally have not been designed to allow for true deletion or erasure of personal information. In future however, it will be required to be able to do this by design, so if you are using some sort of CRM, you will need to speak to your software supplier to discuss how you can make the system compliant.
10) Some countries are much more relaxed about data protection, surely this puts us at a disadvantage?
No – with the GDPR, the European data protection authority can pursue organisations anywhere in the world for breaching data protection regulations. With fines going up to € 20 million or 4% of annual global turnover, whichever is greater, it is now an issue that businesses cannot ignore.
For more information, visit the ICOs website at https://ico.org.uk
For an in depth guide to the GDPR and to download a pdf visit https://ico.org.uk/media/for-organisations/data-protection-reform/overview-of-the-gdpr-1-13.pdf
For advice on undertaking a self assessment, visit https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Thanks to Chrysalis Digital for allowing publication of this article