The General Data Protection Regulation (GDPR) comes into law on 25 May 2018 for all European Union (EU) member states, including the United Kingdom (UK), which will still be a member of the EU at that time. The GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill, so the GDPR standards will continue to apply following Brexit. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to EU citizens.
It aims to strengthen the rights of individuals in an age where huge amounts of information is collected, processed and stored – sometimes without their permission. The GDPR introduces new responsibilities (through its Accountability Principle) for companies, and the GDPR dramatically increase sanctions in the event of non-compliance (for example, through significant fines and other enforcement measures such as suspension of data transfers).
All Small Medium Enterprises (SME) in the UK will have to comply, but it’s estimated that only about a third have started to prepare. Here are some practical steps you can take to kickstart your GDPR planning.
Reduce the risk from the personal data you hold
The GDPR covers personal data and sensitive personal information – a broad category which includes any information that identifies individuals, either directly or indirectly. This includes names, addresses, IP addresses and GPS data. By now your firm should have mapped out what personal data and sensitive personal data you hold on customers and employees and how you process it. Make sure this information is up to date and, if it’s used for marketing purposes, that your firm has obtained the individual’s consent to contact them. If you have data which is out of date or unrelated to what it’s being processed for, consider deleting it. Your marketing team may have to run an opt-in campaign with your existing database if consent to contact your clients isn’t in line with the new requirements - pre-ticked opt-in boxes are banned.
Update your privacy notice
Under the GDPR, individuals have the right to be informed about how you use their personal data, usually via a privacy notice. This outlines how and why their data is being processed at the point of data collection. Under the GDPR, privacy notices must be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge.
Econsultancy has put together a guide on how to create best practice privacy notices.
Plan how you will deal with requests for information and the right to be forgotten
As well as introducing stricter obligations on those holding personal data, individuals will have more power to access the information that is held about them. Requests for personal information (Data Subject Access Requests) can be made free of charge, and the information must be provided within 30 days.
Individuals also have the right to be forgotten in certain circumstances – such as where the data is no longer necessary for the purpose it was collected, if consent is withdrawn, if there's no legitimate interest, and if it was unlawfully processed. In practice, this can be as simple as having an unsubscribe option in your marketing emails.
Enhance your cyber security plans
The increased responsibilities to keep personal data secure, coupled with stiffer penalties for non-compliance (up to 4% of global annual turnover or €20million, whichever is higher), means companies are reviewing the strength of their cyber security plans.
If you suffer a data breach that could be detrimental to the individuals you hold data on, you have 72 hours to report it, plus you need to notify the people affected. Employees within your firm should therefore understand what a data breach is and how it should be flagged internally – this will be vital to meet the 72 hour deadline.
Many SMEs are investigating buying cyber insurance for the first time, not just to protect against the insurable elements of GDPR, but also for the breach response support. Well-designed policies will include IT, legal and PR assistance following a data breach, and will normally cover the costs associated with a mandatory breach notification. The expert help during a breach will not only help you meet the deadlines involved but also help resolve the incident quickly, minimising disruption.
Make the most of the resources available to SMEs
There’s a huge amount of material available online to help SMEs get GDPR ready:
- The Information Commissioner’s Office (ICO) SME toolkit includes a readiness assessment tool and a 12 step guide on how to prepare for the GDPR. The ICO have also launched a dedicated telephone advice line for SMEs and will publish a further guide by the end of the year;
- Research the advice from relevant trade associations on how to deal with specific issues facing your industry; and
- If you are considering buying cyber insurance for the first time, The Association of British Insurers has published a guide to buying cyber insurance for SMEs.
One of the key points to emphasise under the GDPR is that your firm will have to record the steps taken to ensure you meet the requirements under the GDPR’s Accountability principle.
If you have any further questions, get in touch with the Data Protection Officer at TMHCC International at firstname.lastname@example.org