New Data Protection Rules (GDPR), – What does it mean for your small business?
New Data Protection Rules, – What does it mean for your small business?
You will no doubt have heard some hype surrounding the new data protection rules coming into force on 25 May 2018. The new General Data Protection Regulation (GDPR) is set to overhaul how your businesses processes and handles data. Just because you may run only a modest business does not mean you can bury your head in the sand in relation to these reforms.
The current regulations were drawn up 20 years ago in the late 1990s when the internet was much less developed than now and long before the Cambridge Analytica and Facebook type scandals were even in contemplation. You may have received a number of emails recently from websites and organisations about the changes and what is means for your data but what does your organisation need to do to keep up with the times?
First, do not ignore or think the regulations do not apply to you! You have less than one month to prepare. The good news is that Dickinson Parker Hill are here to help.
Spot the difference
The full text of GDPR contains an eye watering 99 articles detailing the rights of individuals and obligations placed on businesses and other organisations. Suffice to say, these goes much further than the old Data Protect Act rules.
Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data will have to be reported to the Information Commissioners Office (ICO) (as well as the person who it is about) within 72 hours where it could have a detrimental impact on the person or “result in a risk for the rights and freedoms of individuals”.
Opt in not Opt out
When you are relying on consent to lawfully use a person’s information you must clearly explain that consent is being given and there has to be a clear “positive opt-in” rather than an “opt-out” system. This is very different from the presumed consent model under which many businesses operate at present. Is yours one of them?
Along similar lines the GDPR clamps down on the automated processing of data. If you have subscribers or mailing lists then you should take advice on what you can lawfully do with this information and whether you can continue to retain it.
Right to be forgotten
The new regulation also gives individuals the power to get their personal data erased in some circumstances e.g. where it is no longer necessary for the purpose it was collected, if consent is withdrawn or if there’s no legitimate interest. In any event you should always be considering whether you still have a need for/legitimate reason to continue to hold a person’s data and, if not, delete it. That includes personnel files, order details, invoicing information and customer lists.
The GDPR also gives individuals a lot more power to access the information that’s held about them for free. Currently, Subject Access Requests can be subject to a charge of £10. However, all requests for personal information going forward will have to be honoured free-of-charge no matter what the administrative cost might be to your company.
Time limits for the provision of such information are also very strict, When someone asks you for their data, the information must be provided within one month.
In order to comply with the core foundation of “privacy by design,” GDPR requires your processes to be built with data protection in mind, rather than treated as an afterthought. You should therefore take a moment to think about every aspect of your business, how you use data and how such use protects the individual and complies (or not as the case may be) with GDPR.
Specific protection for children
Since children are generally more vulnerable and less aware of risks, GDPR includes parental consent for children up to age 16. This is very relevant as consumers of services, particularly online services, are getting younger and younger.
One of the biggest, and potentially crippling consequence of the GDPR for your business, is the power for regulators to fine businesses that don’t comply with it. If you don’t process an individual’s data in the correct way, you can be fined. If you require and don’t have a data protection officer, you can be fined. If there’s a security breach, you can be fined.
The GDPR states smaller offences could result in fines of up to €10 million or two per cent of a business’s turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to some analysts, fines imposed last year would be 79 times higher under the new regulation.
Preparing your business
When implemented, GDPR will have a varying and wide ranging impacts on all sorts of businesses and organisations. To help prepare, the ICO has created a 12-step guide which you can access at the ico.org.uk website. For more detailed advice and guidance on compliance, help to prepare a data protection policy or to rethink your data handling processes to minimise your risk, or, if you facing a compliant that you have breached the GDPR please do not hesitate to contact us at [email protected].