Do I need to comply with GDPR?
The answer is “most likely” if you handle any personal data from EU subjects.
Their responses have varied:
- I’m not a limited company.
- I only call myself a Director, I’m not a real one. I’m just a sole trader.
- I only trade in the UK.
- If you apply an EU filter to my website, I don’t have to comply.
- I’ve no idea what GDPR is so it probably doesn’t affect me.
- I don’t have any clients in Europe.
GDPR is the General Data Protection Regulation that came into force in May 2018.
There was a great kerfuffle in the lead up to it superseding the Data Protection Act 1998 with many myths and misinformation circulating. In fact, I would go as far as to say that there appeared to be general panic amongst the small business community.
However, since 25 May 2018 it’s all gone quiet and many people seem to think that GDPR has now gone away. And that thought could not be more from the truth.
The Information Commissioner’s Office has started to issue fines – and not just to big companies. For example, an individual has been fined £33,500 for using ex-colleagues’ login details to access customer records from his ex-employer, and also faces a 12 month prison sentence if he doesn’t pay the fine. And an estate agency has been fined £80,000 for a data breach that left customers’ personal details exposed. And there’s more.
If you think that data protection law doesn’t apply to you, you may want to take this Data Protection Self Assessment.
I bet after the first question, you’ll realise that GDPR does apply to you and that you do need to carry out a GDPR compliance exercise.
At first sight, the Guide to the General Data Protection Regulation (GDPR) from the Information Commissioner’s Office can seem quite daunting but you’ll probably find that you’re already doing some of what you need to do to comply as, to be honest, if you’re a reputable business owner, taking good care of your customers’ or clients’ personal data will be what you naturally want to do.
The Information Commissioner’s Office isn’t out to get you. They want to make it as easy as possible for you to comply and have some really useful information on their website including this GDPR checklist for small business owners and sole traders to determine how well they are already complying with GDPR.
But what is personal information?
There is a range of personal information. Some is obvious such as name, address, phone number, NI number, email address and NHS number, but it also includes things like IP address, cookies, images and location.
Sensitive personal information includes data about:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Sexual orientation.
Special personal data includes information about the commission or alleged commission of a crime.
How do you comply with GDPR?
To be honest, I got a bit bogged down with GDPR initially, so I purchased GDPR Advisors’ Small Business GDPR Pack (for solopreneurs) which was really helpful in walking me through the process.
Suzanne Dibble also offers a GDPR Compliance Pack which I also have access to as I subscribe to her Small Business Legal Academy. The thing I like about Suzanne Dibble as she keeps her subscribers up to date with changes by email, for example about the recent changes to the cookie guidance and clarification about website opt-ins.
So, what does GDPR compliance involve?
[Disclaimer: I’m not a lawyer and the information in this blog post is not intended to be legal advice. It is simply my understanding in a nutshell of the process a small business must go through to become GDPR compliant. It is by no means comprehensive and I would recommend that if you are in any doubt about what you need to do you contact the Information Commissioner’s Office and/or a lawyer who specialises in data protection matters. It’s also worth mentioning that if/when the UK leaves the EU, the legislation with regards to UK businesses is likely to change.]
Step 1: Register with the Information Commissioners Office
If you are collecting personal information and need to comply with data protection legislation, you should register with the Information Commissioner’s Office and pay a fee too. There are three payment bands from £40 and £2,900 but most organisations will need to pay £40 or £60.
Step 2: Carry out a data audit
Set up a spreadsheet that shows:
- What information you are collecting eg name, address and email address
- Where you are collecting it from eg from an order form
- Whether you need consent and whether you have it
- Who you are sharing this information with
- Where the information is being stored
- How long you are storing the information for
- How you destroy it
Your data audit will help you to understand where you’re starting from and what you need to put in place with regards to contracts and security measures to protect the personal information you are collecting or have access to.
Step 3: Prepare collection notices
Step 3: Determine whether you are a Data Controller or a Data Processor
You may be a Data Controller or a Data Processor, or both, within your business.
The Data Controller decides what data is collected, why it is collected and how it will be used. A Data Controller must have a Data Protection Policy, a Data Retention Policy and associated procedures as well as written agreements with any Data Processor. The Data Protection Policy does not have to be complex, but it does have to outline how you work, how data transfers take place and how you secure and protect information that is shared with you.
The Data Controller must obtain guarantees about data security from a Data Processor and report any data breach to the Information Commissioner’s Office.
A Data Processor is a person or organisation who uses personal information to provide a service or supply goods on behalf of the Data Controller. There must be a written agreement between the Data Processor and the Data Controller.
It is interesting to note that email marketing systems such as Mailchimp, email clients such as Gmail or cloud storage such as Dropbox or OneDrive are classed as Data Processors under GDPR, especially with regards to the transfer of personal data.
Both the Data Controller and Data Processor must have adequate security measures to protect personal information. This includes having secure storage for paper files, a password protected mobile phone and laptop, password and encryption protection for electronic records and not transferring data outside the EEA unless there is an adequacy agreement such as the EU-US Privacy Shield.
Step 4: Determine your lawful grounds for processing personal data
Article 6.1 of GDPR sets out the lawful grounds upon which you can process personal data.
- You have consent to process the personal data for a specific purpose, which is often for marketing activities. You’ll need to keep records of the consent you receive and also have a system for people to withdraw their consent (and keep appropriate records of this).
- You need to process the personal data in order to carry out/enter into a contract.
- You need to process the data to comply with a legal obligation.
- Processing the personal data is necessary to protect someone’s vital interests – this is generally for matters of life and death, literally.
- You need to process the personal data to perform a specific task in the public interest that is set out in law.
- You are processing the personal data for the purposes of legitimate interests. This is the most flexible lawful basis for processing personal data but also a bit of a grey area. It generally covers using someone’s personal information in a way that they would reasonably expect it to be used and which would have minimal impact on their privacy.
Step 5: Check the security of your data
Make sure that you are keeping personal data secure.
Are you using password protection and/encryption for your laptop and mobile phone?
Make sure you don’t use the same password for everything.
How are you storing paper files? Are they in a locked filing cabinet?
Beware of phishing emails and scams.
Don’t use USB drives unless they are encrypted.
Shred unnecessary paperwork.
Consider where your cloud storage is.
Ensure you have picked the correct person up from your contact list when you send an email.
Do your email attachments need to be password protected? If they do, send the password by a different method of communication such as by text message or phone.
Don’t send passwords, sensitive information, credit card details etc by email.
Use BCC if you’re emailing a number of people to avoid disclosing their email addresses to everyone else.
Step 6: Identify all transfers of personal data to third parties
You can transfer data from the UK to countries within the EEA without needing permission from the individual. However, you can only transfer data to third parties outside the EEA if you have permission from the individual or a legitimate reason to transfer the data and appropriate safeguards of the data can be guaranteed.
EEA countries that are not part of the EU are Norway, Iceland and Liechtenstein. The European Commission has also agreed that certain other countries have adequate safeguards and transfers to these countries won’t break the adequate safeguard requirement. These countries are: Andorra, Argentina, Canada, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Faroe Islands and Uruguay. If personal data is transferred to the United States it must be certified under the EU-US Privacy Shield Framework.
These data transfers are particularly pertinent to the cloud software you use such as email marketing platforms, email clients, cloud storage, website servers, client relationship management systems, and many others.
Step 7: Put a system in place for Subject Access Requests
People have the right to ask for the personal information you hold about them. However, you are no longer allowed to charge for providing this information and you must respond within 30 days.
Step 8: Put a procedure in place for data breach notification
If there is a data breach that leads to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data’ that is likely to result in a risk to the rights and freedom of an individual, the Data Processor must inform the Data Controller who must inform the Information Commissioner’s Office within 72 hours.
Step 9: Make sure your insurance is adequate
Speak to your insurance company to make sure that your insurance is sufficient to cover any increased liability due to GDPR.
As a small business owner, I want other people to take good care of my personal information, so I do the same for them. I personally think that GDPR makes good sense, especially as in this ever more technological age, there are people whose ‘job’ it is to extract as much personal information as possible from the unwitting. We have all heard stories of people losing money from their bank account through an elaborate scam, having their website hacked or their credit card being cloned so we can’t be too careful and GDPR can help us as small businesses to be diligent.
Sarah Liddle is The Lady in the Shed. She is a virtual assistant specialising in marketing, admin and techie solutions for small businesses, a smallholder, a sheep farmer and a farm bygones dealer. She loves supporting small business owners to do whatever they do by enabling them to use their time more effectively.