How not to hold illegal personal data from spring-2018
If your business holds personal data on clients, customer, suppliers or staff, you must meet new European General Data Protection Regulations (GDPR) from 25 May 2018. Otherwise, you risk fines of up to Euros 20 million - or 4% of turnover. Compliance is easier than avoidance!
Act now to stay on he right side of the law
How you hold, process and share potentially hundreds of thousands of bits of personal information about individual people is going to change radically early this year.
Postal addresses, phone numbers, names, email addresses and other personal details held for business or marketing purposes will only be permitted if you can show that you have very clear and transparent permission from their 'owners'.
People will also have to right to see what personal details you hold and store on them and can insist that they are deleted. In certain instances, they will also have a new right 'to be forgotten', if for example they are no longer customers, employees or suppliers.
Draconian penalties
And there will be big penalties for companies that infringe the new European law, or fail to report it to the Information Commissioner's Office (ICO) normally within 24-hours, but 72-hours at the most.
Beware that no business is exempt, no matter how small. Currently, the penalties for infringement can be up to £500,000. However, the Information Commissioner's Office will have new powers to increase these up to Euros 20 million, or 4% of annual turnover, whichever is the highest.
Data management systems held on mobile devices will be included. Even Brexit will be no get-out clause; the Government has made it clear that GDPR provisions will be taken up by the UK's newly-proposed Data Protection Act.
Why is this happening?
All organisations that 'regularly or systematically' monitor data subjects on a large scale, or process large volumes of 'special category data' must employ a Data Protection Officer (DPO) to make sure the business actively complies with the new GDPR obligations.
The changes coming in on 25 May are being built around two key principles.
The first is to give EU citizens and residents more control of their personal data.
The second is to simplify and unify regulations for international businesses across the EU.
How to get started
It is important to remember that you can keep personal information legally providing you go about it in the right way.
The first recommended step is to be able to show that you understand the type of data you hold, including bank details, photographs, or sensitive 'special category information such as health or religious views. In addition, you must be able to show where it comes from, goes to and how you are using it.
The second step is to ascertain what kind of consent you are relying on; it must be clear, specific and explicit, not merely assumed.
Thirdly, security systems and policies need to be reviewed, updated, and in some cases perhaps put into place for the first time. Encryption is a positive step in the event of a breach.
A fourth point is to made sure that you can meet access to information requests within one calendar month so that citizens can rectify inaccuracies, remove their details and object to how they are being used under certain circumstances.
Number five is that employees must be trained to understand and identify personal data breaches. A failsafe system is good to pick up infringements automatically. Everyone in an organisation must be able to spot a mistake and report it to the DPO within 72 hours - reporting failures here ironically are the most common form of breach!
Six, supply chains can be a compliance risk. Make sure that your contract terms do put the necessary obligations on them, such as the need to notify you quickly over any problems. Due-diligence is essential.
Seven, under GDPR you must describe to individuals what you are doing with their data - see fair processing notice below.
Eight, most small businesses will be exempt from employing a DPO unless their work meets the definition of 'regular and significant monitoring of data subjects on a large scale, or special category data. However, what constitutes 'large scale' has not yet been fully defined but in some cases does include hospital, travel, transport services and insurance or banking data.
Old data
The GDPR rule of thumb is not to hold on to data for longer than you need to, or process it in ways that an individual is not aware of. Identifying data categories - what you hold and why - helps to ensure compliance.
How is consent changing?
The concept of 'consent' is becoming much tighter and more demanding. It can no longer be hidden in the small print" Rather, consent must be shown clearly and separately from other policies on websites and other communications. You can no longer reply on tick-boxes!
The principle is that simple inactivity is no longer a legitimate way to confirm consent. And that applies to your own data as a customer with personal data rights.
Fair processing notices
If you object to bureaucracy, bite your lip and carry on. Fair processing notices may seem to be an unduly detailed and time-consuming demand on small businesses. But the benefits are worthwhile.
You need to decide why, how and for how long - the retention period - you will be processing data, and include the legal basis for consent and categories of recipients. Importantly, you are also obliged to tell individuals that they have personal data rights.
But there is an upside. It will be all too easy for small businesses to take a complacent attitude and see GDPR as a burdensome. However, if you can show that firstly, you are fully aware of what is involved, and secondly are competently and actively working to safeguard individual data and rights, the chances are that your kudos and reputation as a trustworthy business partner will rise.
It will be easier to grab GDPR by the horns and make it work efficiently than try to avoid it.
Sole traders
If you are a one-man-band, there is a danger that your data records are somewhat chaotic and it is well worth spending time exploring how you could explain to a valuable customer why there has been a data breach - and that includes, loss, theft, damage, misuse or improper sharing.
In practice, because small businesses pose less of a risk, the ICO may be more lenient. But that judgement is yours to make.
