The deadline for GDPR compliance is looming, and while the changes in EU law will impact every area of big business there is no overstating the risks for smaller enterprises as well.
Small and Medium sized Enterprises (SMEs) tell us they feel the challenge of compliance is too big and too scary to consider tackling – but it doesn’t have to be this way. First and foremost GDPR compliance is a change to both your attitude and your approach to data; before long you’ll find yourself using data protection as a USP in your marketing and it won’t feel like a chore and a box-ticking exercise.
1 Recognise that GDPR WILL affect you
The new law affects everyone, and there is no getting away from it – no matter how big or small your organisation. Individuals are being given a plethora of new rights while organisations can expect a barrage of requirements to demonstrate compliance and accountability. Sure, the Information Commissioner’s Office (ICO) will be focusing on the big players to begin with, and aim to reign in some very big fines (the guidance says fines will aim to be ‘dissuasive’, which means they will set an example for others to force data protection onto your agenda). Be aware, however, that come May 25th you will face a wide range of new risks in these areas:
Litigation – group actions by data subjects and a new species of ambulance chasing firms
Audits – the overriding need for you to know exactly what data you process, the legal basis for processing, etc.
Complaints – subject access requests, the right of erasure, complaints to ICO
Fines – with upper limits set at truly eye-watering and unprecedented levels
So here are a few key pointers to get you started:
2 Overhaul your mailing list and refresh consents
Implied consent, or consent from pre-ticked boxes, is no longer permissible, so you will have to approach all individuals on your mailing list to renew their consents. Here is a useful mnemonic for you: consent under GDPR must be ‘FUSI (E)’
- Freely given
- Informed, and (in the case of sensitive personal data)
- Expressly for the purpose of the processing
You’ll also need a privacy notice for these individuals, setting out the information you are processing, how it is collected, how it will be used or shared, measures deployed to secure it, how long it will be retained and the individual’s rights to erasure, correction, access and restriction.
And be careful you don’t do any other marketing in the mailshot you send to update consent – big companies have been bitten by this (https://www.theregister.co.uk/2017/0 3/28/ico_fines_flybe_honda/) even though they were trying to do the right thing!
3 Data purge
It’s likely to be as difficult as eating only raw vegetables for a week, but your data fitness will be enhanced massively. Your mantra will be: ‘Process and retain only the data we need’ and all staff will chant it regularly.
A key tenet of the new laws is to require organisations to only process what they need, and only for as long as they need it.
You will need to justify your processing of each piece of data you collect – whether to the Data Subject, or to the ICO if they pop in for an audit. Getting lazy about minimising your records when customers go off your books, employees move on, or your mailing list goes out of date, will land you in hot water.
You will develop a procedure to periodically remove unnecessary data from your record keeping and databases. If you want to keep names and email addresses for later you need to justify this in your data protection policy.
If you want to keep historical records you need to anonymise or at least ‘pseudonymise’ them so they can’t be linked to individuals.
There is also a bevy of extra security requirements for ’special categories’ of sensitive data, and you have to have consent to use these categories – so ask yourself if this data is really necessary.
Special categories are: racial origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or orientation, criminal records, genetic data and biometric data.
4 Assume all ‘bought in’ databases are non-compliant
If you have bought a database of marketing leads your base assumption must be that the consents obtained are no longer valid. The Direct Marketing Industry is arguing with this, and there may be a resolution when the Data Protection Bill is finalised, but for now it’s too risky to take a laisez-faire attitude to marketing.
You will obtain and carefully review the contracts for supply of such databases in the future and take pains to ensure they contain promises that the data has valid GDPR compliant consents.
5 Check the compliance of your IT and online suppliers
The GDPR makes it a statutory requirement that data controllers (that’s you) hand down requirements to their suppliers in contractual agreements, and check that anyone they use as a data processor has adequate security.
So think about your web provider, cloud storage and anyone else who might facilitate the processing of your data. You need to check their data protection policies are GDPR-compliant, and particularly that their servers are encrypted and located in a country that is approved by the European Commission for having adequate safeguards (the EC website gives updates on which countries have been assessed – the US, Canada, Jersey and Australia, for instance, are already deemed safe).
6 Prepare for the worst
You must have processes in place to react to data breaches and subject access requests, and be able to demonstrate your readiness. This includes: granting access, erasure, rectification and data portability – allowing customers to move their information freely between service providers.
Breaches creep up on all of us, and when you suspect you’ve been hacked, or an employee misplaces their laptop – that kind of thing – you need to be ready to investigate, establish how much data was disclosed and how harmful could it be to individuals. But the key here is to ‘demonstrate’ your readiness and compliance – companies need to be able to show they are ready and have suitable procedures in place.
7 Start with the data protection principles and work outwards
There is no quick fix for GDPR compliance: those days are over – taking responsibility for the data you hold will require changes across your organisation: training your workforce, embedding new policies and procedures, and changing your whole attitude to individuals’ data.
The GDPR sets a very high standard, with a lot of do’s and do not’s – but if you boil it all down and focus on the key principles, you will get a long way ahead of your competition.
- Lawful, fair and transparent processing: you have identified the appropriate legal bases for the uses you are putting data to; you aren’t using it for something the data subject would not reasonably expect and you have told the data subject what you are doing.
- Purpose Limitation: you are processing data for only the reasons notified to the data subjects.
- Data Minimisation: you only collect what you need for the purposes you have identified and no more. If you were to receive a Data audit you would be able to justify every piece of information you hold.
- Storage Limitation: you identify how long you will retain data and you delete it when it is no longer needed.
- Integrity and Confidentiality: you ensure security is adequate to keep the data safe and keep on top of developments in cyber security. You restrict access to data to only those who have a clear need for access.
- Accountability: you are able to demonstrate how you work towards compliance in your policies, your contracts with partners and suppliers, privacy impact assessments and processing logs.
These will give you a good foundation to build on – and moving forward, just remember that the measures you take are expected to be proportionate and appropriate to your organisation.