Many small businesses remain blissfully ignorant of the new GDPR rules that come into force next year. But now is the time to make sure they’re fully prepared for its introduction, as Jo Faragher explains
World Emoji Day might seem an unusual time to highlight a data protection campaign, but this year the Information Commissioner’s Office (ICO) used it to heighten awareness of the General Data Protection Regulation (GDPR), which comes into force in May. On Twitter, the ICO used emojis of the three wise monkeys (hear no evil, see no evil and speak no evil) to tell businesses they cannot afford to be those monkeys when it comes to GDPR.
According to a survey by law firm Irwin Mitchell, many firms still have their hands over their ears. Only three in 10 have prepared for the new regime, despite the fact that 18 per cent said they would go out of business if they received the maximum punishment – a fine of €20 million or 4 per cent of global turnover.
“Lots of small businesses seem to think that it won’t apply to them,” says Andrew Brenton, a Data Protection Consultant. “They say ‘I don’t use a computer’ or ‘Brexit means it won’t come into force’.”
Yet in all these cases, GDPR will still apply – businesses of any size that process data, even on paper, will need to keep more stringent records of how they handle that data. And because the regulations come in next year, at least a year before the UK formally leaves the EU, they will become domestic law in the UK.
The main shift is that the new law will give more rights to individuals, and companies that use their data become more accountable. “There will be a lot more record-keeping, making sure privacy notices are compliant and that they cover what data will be used, what the data will be used for, and why,” explains Dawn Kenyon, Managing Director of employment law consultancy and FSB member RADCaT. “You can’t have a catch-all policy any more; you need to be a lot more explicit about what you’re doing with the data.”
For individuals, GDPR introduces the right to be forgotten, as well as to access their data so they can ensure information held on them is accurate, and to ask questions as required.
There will be some exceptions, however. “There are circumstances where other legislative and legitimate business requirements will override the individual’s right to be forgotten: for example, if you decide to keep employee performance records for a period of time following their resignation, in case of a future claim,” says Jason Dowzell, CEO of the software company Natural HR.
“But you should be very clear on what you are keeping and for how long, and then ensure you remove it when it is no longer needed.”
For small businesses just starting on their GDPR journey, the best first course of action should be a data audit. “You need to get an understanding of the data you hold,” suggests Sarah Williamson, Partner in the commercial and technology team at Boyes Turner.
“Ask managers: in what activities do we process personal data? Is this data sensitive (such as medical or financial data)? Do third parties handle this data and are their systems secure?”
While software programmes and consulting services are available to help, mapping where data is in your organisation and how it’s used could be as simple as an Excel spreadsheet or a whiteboard. “The first thing the ICO will ask for is what data you hold, so have a record for each department. Not knowing won’t look great,” adds Ms Williamson.
Next on the list is to assess any potential risks to that data: what data would present the greatest risk if an unauthorised person gained access? This could be credit card details if you’re a retailer, for example. “Prioritise the riskiest ones now and come up with a plan for how you will deal with the rest of the data in the coming months,” she says.
A robust review of your security arrangements is also necessary. If personal data is stolen in a cyber attack, companies must report the breach within 72 hours. For online businesses, having an ‘https’ website (where exchanges between your browser and the website are encrypted) and performing regular vulnerability checks will help.
“One of the issues can be you don’t know you’ve been breached,” says Andy Gambles, owner of FSB member Servertastic, a web security company. “The most important thing is to show you’ve taken steps to stop it, and that you have processes in place.”
Don’t forget to review your arrangements with third parties – perhaps your payroll is outsourced to an external company, or you use a marketing agency to send emails. You will need to demonstrate that their systems are secure and that they have taken steps to prevent a breach. Review how these arrangements might change in light of GDPR: for example, setting up a virtual private network with partners to share data.
Preparing for GDPR might seem onerous, but reviewing the data you hold can be positive too. “Companies will be able to get a picture of the business from a data point of view,” says Mr Brenton. “They can question why they collect certain pools of data and consider doing something else instead, or discover pools of data that are valuable.”
It’s time to get your house in order.
As an email marketing agency, Future Content deals with individuals’ data every day. But while the company’s Content Marketing Strategist, Tom Sandford, recognises there is much to do before the May 2018 GDPR deadline, he feels the new regulations present an opportunity for businesses to review and improve their marketing communications.
“People are constantly bombarded with sales messages, and the law is forcing businesses to think about what data is actually important to us as individuals,” he says.
The company has already updated its opt-in policies so people on mailing lists have to ‘double opt-in’ (by emailing them a second link to verify they are human rather than a robot), as well as its privacy policies to explain how people’s data will be used.
One of the big issues Future Content will face is in identifying which contacts will be eligible to receive marketing communications after May, as a high proportion may need to be removed. Email marketing tools such as Campaign Monitor can record where subscribers came from and date-stamp when they consented for their data to be used, so there will be an audit trail.
Employees have been given some initial training on what GDPR is and why it is important, so handling data in the right way becomes part of the company culture. “As a small business, it can be difficult to find the time to do things properly, but the biggest danger is we don’t prioritise that cultural change in the way we handle data,” adds Mr Sandford.
It stands for General Data Protection Regulation and, from 25 May 2018, will be the main law on collecting and processing personal data. It will come into effect across all EU member states, so while the UK is still part of the EU, businesses must comply.
How is it different from current legislation?
Individuals have more say in how their data is used. The Information Commissioner’s Office (ICO) can impose increased fines and penalties, with a maximum upper limit of €20 million or 4 per cent of annual turnover, whichever is higher.
What do small firms need to do?
Any business that processes personal data (online or offline) should now review how it handles that data, where it is stored, whether it is shared with third parties and whether it is actually needed.
A good first step is to carry out a data protection impact assessment, a map of the personal data you hold. This should focus on three main areas: how employees control and process the data; processes (how you obtain the data, where you store and send it); and reducing risk (ensuring you have adequate cyber security and data encryption in place).
Under the GDPR you only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. In practise this means that if unaddressed such a breach is likely to have a significant detrimental effect on individuals. The ICO provides the following examples: result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Such breaches have to be reported to the ICO within 72 hours of the organisation becoming aware of it.