GDPR for Small Businesses
September 15, 2017
As a small business owner you will probably already be aware that Data Protection regulations are going to change in May 2018. You will almost certainly be affected if you hold data on individuals in any form. But there’s a lot of poor information swirling about. Don’t get caught out by GDPR myths. We’ve compiled a list of need-to-know tips to help clarify what your responsibilities will be.
What is GDPR all about?
GDPR is law designed to protect the privacy of individuals over businesses (and other organisations), and give them more power to control the information that businesses hold on them. It is an evolution of the current Data Protection legislation which is 20 years old.
By and large, the new GDPR regime represents a step change, rather than a leap into the unknown.
Steve Wood – Deputy Commissioner for Policy, ICO
In this blog post, I’ll stick to only what is of interest to most small businesses. You’ll need extra advice if you process data about children.
Where to start
The key to understanding GDPR is to first understand the Principles of Data Protection:
- Personal data should be held fairly and lawfully
- Only for specified purposes
- Data should be adequate for the purpose but not excessive
- Personal data should be accurate and kept up-to-date
- Kept for no longer than necessary and deleted when no longer necessary
- Processed in accordance with the rights of the Data Subject (the person whom the data is about)
- Kept secure and safe, with policies and procedures in place to ensure this
- Not transferred to any country outside the EEA (unless they have a level of Data Protection legislation which is up to the same standard as ours)
I’m assuming that your business is registered with the ICO already and has policies and named people in charge of assuring compliance with the current data protection legislation. Now let’s see how GDPR changes the law.
Who does it apply to?
Pretty much everybody who has any kind of store/database/list of personal data.
What is personal data?
It can be “anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
When does it come into effect?
GDPR will apply from 25/5/2018. It will not be affected by Brexit.
When can you hold personal information?
There are several reasons why you will be lawfully able to hold personal information. They boil down to:
- If you have their consent
- If it’s necessary for legal reasons
- If it’s necessary to protect that person’s “vital interests” (e.g., for their own safety)
How do I get consent?
The key to GDPR is gaining the consent of the individual. This must be obtained, and in the right way. The guidelines say consent must be
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
Let’s unpack that a little.
This means you need to specifically ask for consent and allow the individual to decline to give it.
This means that when they consent to be on your mailing list to receive special offers, you can’t then use that list to inform them about other things. You can only use their data for the reasons they consented to.
This means you can’t, for example, hide the consent in a set of terms and conditions. It must be out there for the individual to clearly see, often in the form of a checkbox on a website, or a button on a mobile app.
Consent must be active – it must involve some interaction on the part of the user. For example, pre-ticked checkboxes to opt-in to mailshots will be forbidden. The user must interact in some way, for example ticking a checkbox.
Their consent must be clear and unambiguous. You will not be allowed to use vague or non-specific language to describe what you will be using their data for.
Different marketing activities will need separate consents.
Furthermore you will need to provide continual access to easy-to-use ways for the user to withdraw their consent at any time. This could take the form of a hyperlink in an email that leads to an unsubscribe page. That unsubscribe page shouldn’t be used for any other purpose and should be very clear and unambiguous.
The concept of bundling consent will be prohibited.
Bundling is when you require consent for one thing in order to gain access to another. For example, if you require your users to sign up to your mailing list in order to gain access to a white paper you have produced.
Personal data rights
GDPR creates and strengthens the rights individuals have to control data about them.
- Right to be informed
Individuals will have rights to be informed about data collection and processing. Usually done through a privacy notice. Details.
Individuals will have rights to access their data. Details.
Individuals will have rights to have their data corrected if it is inaccurate or incomplete. Details.
Individuals will have rights to have their data erased. Also known as the “right to be forgotten”. Details.
- Rights to restrict processing
Individuals will have rights to block or stop you from processing their data. Details.
- Rights to data portability
Allows individuals the right to get their data in an easily usable form to be used with other services. Details.
Allows individuals the right to object to the processing of their data. Details.
- Rights to control automated decision making and profiling
Protection against when machines take decisions about individuals automatically. Details.
What do I need to do?
Make sure you attend to three key duties:
- Document how you comply with GDPR
- Report breaches of data privacy and security
- Keep data safe and secure
Will we be able to continue using our existing mailing lists and databases?
This is very important. You will only be allowed to continue using these if the consent with which the data was gathered meets the new GDPR standards.
There will be many businesses out there who have gathered mailing lists over the years from a wide variety of sources – some of which may be compliant and some which may not. Examples would include business cards collected and networking events, customer enquiries etc.
Sorry, but you will not be able to continue using these lists.
And what if we get this wrong?
Expect high fines, up to 4% of turnover.
Don’t try to be sneaky. This year both Honda and Flybe received large fines for sending emails asking customer to “confirm their marketing preferences were up to date”. The ICO took the view that these were simply marketing communications because they were sent to customers who had already unsubscribed from their mailing lists.