From 25 May 2018, the General Data Protection Act (GDPR) will replace the Data Protection Act 1998 (DPA) which governs the processing, handling and storing of personal data.
If you need any help in making sure you understand the impact of the legislation on you and your business or support in putting the right processes in place, do contact us as soon as possible.
As you may be aware, there are penalties for non-compliance, but more importantly this a good time to take stock and review your current processes.
A number of the GDPR’s main principles are the same as those in the current DPA, so if you are complying with the current law, then you are in a much stronger position to make the additional changes required of you. If, however you are unsure as to how compliant you are, or you think your current processes and systems for handling, processing and storing personal data need some work, then now is the time to get it right.
We have prepared a short guide for you with practical steps you can take now to help you comply with the GDPR by the final deadline of 25 May 2018.
(Please note: this guide does not constitute legal advice and does not cover all of the GDPR obligations that may be relevant to your business, so do please contact us so that we can better assist you).
GDPR Compliance for Founders and Small Businesses in 5 Easy Steps
1. Document the data that you hold, where the data came from and who you are sharing it with.
You should only process accurate personal data and any outdated or imprecise personal data should be deleted or updated. As a business, you are responsible for the personal data you manage and for the data that you provide to third parties. This means that if you pass on incorrect personal data to a third party, you are responsible for not only correcting the personal data you hold but informing the third party that they also need to update their data too.
Personal data must also be removed, destroyed or anonymised once the purpose for collecting the personal data has been fulfilled, for example, a project or contractual relationship where you have received personal data has ended (unless you have another lawful reason for keeping it).
Review your existing data and ensure that you know:
- what personal data you have;
- why you have it;
- where it is;
- who else has access to the personal data, and;
- how you got it in the first place,
is the first step to ensuring that you are ready for 25 May 2018.
2. Understand the lawful basis you will rely upon to hold the data
After you have a strong understanding of what data you have and what you use it for, you must then consider the lawful basis you will rely upon to retain the data. After 25 May 2018, you will only be permitted to hold data that is necessary and relevant to the purpose you need it for and you will need a lawful basis for holding the data.
It may help to compartmentalise your data in order to establish separate legal bases for each category. Typically, a business will hold data on its clients/customers and its employees. It may also hold data on past clients/customers, on potential employees if it is recruiting, on past employees and on other businesses or individuals for marketing purposes. Please note that this list is not exhaustive as each business is unique and the categories you choose will be specific to your business.
There are six lawful ways to hold data, these are set out in Article 6(1) of the GDPR and are as follows:
GDPR sets a high standard for consent but often you won’t need it for most of the categories of data set out above. If you do need consent, you should ensure that consent is clear and concise, in plain language, and avoids the use of confusing terminology or legal jargon. Pre-ticked boxes or other methods for default, or opt-out, consent will no longer be valid. Under the GDPR, individuals must opt-in for you to be able to process their data.
If you use this legal basis for processing data then bear in mind that individuals can also withdraw consent at any time and they should be told this at the time of consenting.
When asking for consent you should include:
- Purpose of the processing and the legal basis for the processing;
- An active opt in clause;
- The name of your organisation;
- The name of any third party who will rely on the individual’s consent to use the data;
- On what basis you need the data;
- What you will use it for;
- How long you will retain the data for.
You will have a legal basis to hold data where it is deemed it is necessary to give effect to a contract. For example to supply goods or services that a client has requested, to fulfil a contract of employment or to pay a third party.
If you are required under English or EU law to process data for a specified purpose you will have a lawful basis.
For example, if you have a contract with a client to provide services and you have subsequently provided those services and the contract has ended, you may no longer have a lawful basis upon which to hold their data. However, if you have an obligation to comply with a regulatory body or an insurance policy to retain client data for a period of time after you have provided the services, you may be able to rely on this lawful basis for retaining the data after the expiry of the contract.
4. Vital Interests
This basis is limited in scope and only applies if the processing of the data is necessary to protect someone’s life. The Information Commissioner’s Office states that this generally will only be relied upon in cases of ‘life and death,’ for example emergency medical care.
5. A Public Task
This is not likely to be relied on by small businesses or founders, as it relates to public bodies. For example if a public body needs the data to carry out official functions or a task in the public interest, then this will be a lawful basis.
6. Legitimate Interests
This is important in private sector organisations as you are able to process personal data if you have a genuine and legitimate reason, for example a commercial benefit or to fulfil an obligation. You must however ensure that there is no unwarranted impact on the individual i.e. it does not harm their rights or interest.
A commercial benefit is not usually considered sufficient to hold data for marketing purposes. For example, in the specific context of email marketing, holding an email address for the sole purpose of sending marketing emails does not fall under this as there is no certain commercial benefit for either party. The general consensus with regards to marketing is that it is safest to obtain consent.
Once the purpose has been fulfilled, the lawful basis will expire and the data should either be deleted, or anonymised, unless there is another lawful reason for keeping it (for example to comply with your insurance policy, legal obligations or other regulators).
3. Ensure that the data you hold is accurate, up to date and stored securely
As discussed above, you should only hold personal data, for a specific purpose. This supports the concept of data minimisation – the less data you have, the easier it is for it to be accurate and up to date.
You are responsible for the personal data you hold. You must therefore securely protect the data from theft, loss or misuse.
The way that this is done can vary and can be proportionate. The following is a helpful checklist:
- Ensure strict rules are in place for who can access what data and when. Create passwords and files for specific data, for specific purposes, and ensure that all employees understand the importance of it. For example, only the person who needs access to your employees’ data should be allowed access to it.
- Data should be encrypted at every opportunity if it is stored on a computer, and if data is stored in a cloud-based system try to implement user-managed keys to provide an extra level of security for more sensitive data.
- If you hold hard copies of data, ensure that this is organised, that you can easily locate all the information that you need and also keep track of copies that may be made.
- Make sure that documents are kept private, having personal data on office walls for example, may constitute a breach. This is especially important if you work on paper files as transportation of this data should be very carefully considered given the evident threat to the security of such information.
4. Check your existing third-party contracts (e.g. when outsourcing payroll/HR/IT/marketing services to another company)
If you currently employ a third party to process personal data (data processor) on your behalf, then you should already have a written contract in place in order to comply with the DPA. However, under the GDPR, data controllers (your business) can be directly held liable for non-compliance of data processors so it is important to ensure that third parties who have access to your data are also GDPR compliant.
Steps to take:
- Identify all third parties who have access to personal data you have provided them with or who have access to personal data you hold;
- Make sure your data processor understands the reasons for the changes and the new obligations it has under the GDPR as well as the possibility of being subject to an administrative fine or other sanction if it does not comply with its obligations;
- Review your current contracts and ensure wording is included to reflect the new GDPR contracts requirements and also that definitions are updated to align with the GDPR definitions. Additional wording should cover details of how data is processed and the processor’s obligations (including the standards the processor must meet when processing personal data and the permissions it needs from you in relation to the processing);
- Make sure both you and your data processor are clear about your role in respect of the personal data that is being processed and that you can evidence this.
- You should also add a clause to cover what the third party should do in the event of a data breach. The general rule is that they should notify your business upon discovery of a breach as soon as is reasonable and at the latest within 72 hours.
5. Ensure that you have a procedure in place to detect, report and investigate data breaches
A data breach is a serious matter, even in a small business. Therefore having a procedure in place in case something does go wrong is critical.
You should know how to recognise a personal data breach, which includes understanding that it is not only about loss or theft of data, but also misuse of that data. In short, it can be defined as a security incident that has affected the confidentiality, integrity or availability of personal data. For example, if your IT system is hacked, or somebody accesses personal data without authorisation. You should have a procedure in place to deal with this in a timely and organised manner.
If the breach is likely to risk the rights and freedoms of the individuals whose data you hold, then you must notify the Information Commissioner’s Office without undue delay and within 72 hours of your business becoming aware of the issue, even if you do not have all of the information about how it happened at that point.
This disclosure must include details on the individuals concerned, the likely consequences of the breach, what measures have been or will be taken to deal with the breach and the volume of data concerned.
Even if you do not think that the breach should be reported to the ICO, you should have an internal system of recording the breaches, including perhaps a disclosure form, and how your business deals with them.
If you need further advice regarding the General Data Protection Regulation, do not hesitate to get in touch with the team at Fortune Law on firstname.lastname@example.org or 020 3709 9670.