A Quick Guide to GDPR for Businesses

GDPR is the biggest change to data privacy and processing in the last 20 years, and will be coming into force on the 25^th May this year. It is essential that your business is ready and compliant by this date, or you risk fines of up to 20 million euros or 4% of group worldwide turnover (not profits). While top level fines are reserved for rights infringements, failure to implement subject access requests, and problems with consent, smaller transgressions can still result in a fine and seriously damage your reputation.

What You Need to Do

Every business needs to get independent legal advice for their industry and specific data processes and environment – this means discussing GDPR with your solicitors and perhaps data protection experts.

To give you a grounding on the legislation, you can see the ICO’s 12 Steps to Take Now. These include:

1. Raising awareness – letting people within your business know about GDPR and the requirements within it.
2. Documenting information you hold – including where it is from, where it is held, and who you share it with.
3. Communicating privacy information properly both within your business and to people providing information to you.
4. Checking procedures to ensure that they cover all individuals’ rights under GDPR.
5. Creating procedures to comply with subject access requests.
6. Ensuring that you have a lawful basis for processing data.
7. Gaining proper consent before processing personal data.
8. Thinking about whether you need to put systems in place to protect children and gain parental consent for data processing.
9. Creating procedures to deal with data breaches.
10. Following the ICO’s guidance on privacy impact assessments and creating data protection processes.
11. Seeing whether you need to appoint a data protection officer.
12. Determining whether you operate or process data in more than one EU country.

A lot of these seem very expansive and can be overwhelming, especially for small businesses. The first step in most situations is to assess/audit the data that that you already hold – what do you have, why do you hold it, how sensitive is it, where is it held, and most importantly, is it necessary for you to hold it? If you have a large amount of unnecessary and inaccurate data, it’s likely that you’ll need to sort through it and delete anything that is not essential.

Once you have a good understanding of what you have and why, you can define your new processes and procedures to ensure that your data stays clean and compliant. This will include assigning responsibility for data, and ensuring that people know exactly what you’re going to do with their information when they submit it – consent is central to GDPR and it’s important that it is properly given. Requests must be written in plain English and pre-ticked forms are no longer acceptable.

Hopefully, once you have updated your procedures and made your security more robust, you will not experience a data breach. But you will need to plan for the worst too – make sure that you have proper communication processes in place and you have taken every reasonable precaution to avoid a breach from happening.

Depending on the size of your business and the type of data that you process, you may need to appoint a data protection officer. This person must have relevant experience and sufficient knowledge to manage your data properly under this legislation. Most companies with fewer than 250 employees will not need to worry about this, but some that process sensitive data will need to appoint an officer because of the type of data they hold and process.

GDPR Resources & Information

It’s likely your business already has considerable resources to handle GDPR already – your first and most important resource will be your legal team. Secondly, your business is probably using a range of companies to process data, such as MailChimp for emails or any of your order management systems. It is important that you speak to all of these companies as part of your preparations to ensure that they are taking the proper steps to prepare as well.

You can read the entire text of the General Data Protection Regulation here.

You can also find excellent information about GDPR and preparing for it here:

• https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
• https://www.computing.co.uk/ctg/feature/2478896/how-gdpr-and-the-network-and-information-systems-security-directive-will-complicate-cloud-computing
• http://www.fsb.org.uk/resources/how-to-prepare-for-gdpr
• http://www.telegraph.co.uk/business/open-economy/smes-to-avoid-general-data-protection-regulation-fines/
• https://gdpr.report/news/2017/09/11/4-things-companies-need-consider-preparing-gdpr-compliance/