Compliance with the General Data Protection Regulation (“GDPR”) will become compulsory on 25 May 2018. Whilst it is EU legislation, the Government has stated that its provisions will be incorporated into UK law post Brexit.
The driver for this raft of legislation has been the remarkable increase in data, particularly consumer data, sloshing around the internet over the past few years. Think Facebook, LinkedIn, Google, Microsoft just for starters. So far the use of such data has been largely unregulated.
Governments from around the World have recognised that all this data needs to be controlled, to protect not just businesses but consumers as well. After all, as a consumer, don’t you want that?
There is a lot of scaremongering at present e.g. talk of huge fines. The reality is that the UK regulator, the Information Commissioner: https://ico.org.uk/ has declared that it prefers to take a supportive, rather than a punitive approach.
So what you have to do as a business, whether sole trader of multi-national, is to demonstrate to the Commissioner that you tried. If you can’t show this then you might be in for a nasty fine.
How do you demonstrate this? It’s not as onerous as you might think. Here’s what you need to do:
- Audit your data. Where is it? What is it? Record where and what it is. A spreadsheet is perfectly adequate. Remember, that under the GDPR you need to audit the data you hold about employees as well as customers and other businesses. Paper records are fine – just keep them under lock and key, and shred any that you no longer need. All data filed electronically should be protected by passwords/encryption. Restrict “leakage” of data, e.g. on to USB sticks or laptops.
- Work out who is the owner (“Controller”) of the data, who are “Processors” and record that in a document along with what they do with the data. E.g. used for marketing purposes. In larger organisations you must have contracts between the Controllers and Processors and everyone should be trained as to how to handle data.
- Make sure that you have a legal basis for processing. Record it. You can no longer grab a business card and then send emails to the giver. Potential customers must be given the opportunity to positively consent (“single opt in”). Ideally you should have a “double opt in” process. Give email recipients an easy way to unsubscribe. If you use e.g. Mail Chimp, or Constant Contact the double opt in and unsubscribe options are built in.
- Give your customers/businesses the rights set out in the GDPR. E.g. the right to see their data, and the right to have it erased. Document your procedures.
- Privacy by design. Carry out due diligence checks on e.g. third party IT companies who host your data. If you have paper records see “1” above: lock them away or (if no longer needed) shred them. Record the process.
- Manage breaches. You only have 72 hours to report a breach (leak) of data, from when you become aware of it. That’s reporting to the regulator and all those affected. Document your procedures. This is serious.
- Third Party Suppliers. There is an obligation on you to ensure that those with whom you deposit your data have, in turn, adequate GDPR compliance. So you will have to ask them. Do they have the appropriate ISO standards? Where are their servers? A shed in the back garden is not good enough. If there is a leak of data from e.g. your website hoster, then you are equally liable. Potentially nasty. So get a contract in place, and insurance.
I have recently advised a client who wanted to land a contract with an Australian Company. He had to demonstrate that he complied with GDPR to get it. He got the contract (worth several million) after I advised him and put all the processes and records in place. So, this is not just a local issue – it’s as it was intended to be, worldwide.
For more advice contact me on this website.