No matter what size your business is if you are collecting and processing personal data the General Data Protection Regulation (GDPR) applies to you! Personal data is any information that relates to an identified or identifiable living person. This could be information like a name, address, or telephone number.
Personal Data can also be information that when collected together can lead to the identification of a particular person by their habits or tastes, such as an IP address. Whether you collect or process personal data on a small or large scale, you come under the scope of the GDPR as a data controller. You must comply with the data protection rules in GDPR when you process personal data.
You also have to be aware of the scope of GDPR. This is outlined in Article 3 of the Regulation. In simple terms, it is how far GDPR reaches with not only the transfer of data but the organisation’s compliance with the GDPR requirements.
For example, if you sell products and export them to people in the EU or the UK then GDPR may apply to your collection of people’s data. If you are in the United States and sell goods to residents of the EU, you have to comply with GDPR and have a representative in the EU to act as a point of contact for your customers. The same will be said for the UK now they have left the EU.
What is the purpose of the GDPR?
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR is a legal framework that sets guidelines for the collection and processing of personal data from individuals who live in the European Union. The regulation aims to protect the personal information of individuals and give them more control over how their data is processed.
The use of data has grown to such an extent that people are giving their information away multiple times a day. With the devices used today, from phones that could run a small business to biometric entry to buildings, the data organisations’ process is huge.
When the first data protection law came out it was only to do with electronic data, not paper, and did not in any way help to protect people’s data in the way data is used today, so GDPR brings all that into one single regulation, it standardizes all the EU countries, so they are all working from the regulation.
GDPR is also now the foundation of all other countries’ data protection laws. Take the POPPI, South Africa’s data protection law. It is based on GDPR, the same principles, same data subject rights, etc. The CCPA is the same and so on.
GDPR is a very important piece of regulation and goes a long way to protecting people’s personal data.
How can a small business become GDPR compliant?
For small businesses, GDPR compliance can seem a daunting task. But here is a GDPR compliance checklist that you need to make sure your business has in place to reach an appropriate level of GDPR operational compliance.
Your policies are essential for the internal application of Data protection and guidance for employees on handling data. Employees must understand: how to keep data secure, who is their point of contact for data protection matters, how to handle Data Subject Access requests, procedures for dealing with a Breach, etc. Internal policies when adhered to can save your business time and money by handling these situations correctly.
Do not write policies with legal speak, quoting Articles of Law and really long detailed documents. They may look clever and make you feel that you have covered all the bases, but no one will understand them. Write your policies in simple plain language that every employee will understand.
Make it short, 5-8 pages long at most and split them up into separate policies, so a Breach policy, Subject rights Policy, and so on.
It is important to keep 3 main types of logs/registers for data protection compliance: a data breach log, a data subject rights log, and a processing activities workbook.
Data Breach Log
A data breach log is where you log the details of any data breaches or data incidents, such as; when the breach occurred, who was involved, what data was breached, the impact of the breach, and how it was handled. This register is vital to demonstrate the steps taken to mitigate the risks associated with data breaches and the business and the data subjects affected.
This is one of the main logs you will be asked for by a Supervisory Authority if you are ever audited by them, so it is very important to log every breach or incident, no matter how small.
Data Subject Rights Log
A Data subject rights log is where you log the details of a DSAR you receive. This log must contain: who made the request, what data was requested, proof of identity, the length of time to respond to the request, and a copy of the response. This log is vital to demonstrate your compliance with the rights of your customers and can protect you if the individual making the request decided to make a complaint.
One of the exemptions to refusing to provide information is the repetitiveness of a request., If you do not log these requests you will have no way to prove it is repetitive.
Record of Processing Activities Register
A processing activity register enables you to keep a record of all your business processing activities where you collect, process, store, and delete personal data. For each processing activity, it is a good idea to state: what categories of personal data are collected, how it is stored, who has access, security measures, the lawful basis for processing, risks, and mitigation. This register is important to demonstrate your business is compliant with data protection laws and requirements.
This is the main register to show your accountability as a data controller, you can go to this register to see what your legal basis is to process the data, your retention period, any risks, etc. You must have this register in place and build your policies etc around what data you process.
Businesses of all sizes can experience a Data Breach or a Data Subject Access request from individuals. It is important to have a procedure in place for when this situation occurs. A Data breach procedure explains to employees what they must do in the event of a breach, who within your organization should be notified, and how to report a breach to the information commissioners office (ICO) the data protection authority in the UK. Similarly, if a data subject requests access to the data (DSAR) you hold on them, you must legally provide this. You must have a procedure in place that informs staff how to handle and respond to a DSAR and to who in your organization to communicate a request to. These measures will save your business time and money when your employees understand how to handle DSAR requests and data breaches.
Data Protection Officer (DPO) or Manager (DPM)
You may wish to appoint a Data Protection Officer or Manager within your organisation or an external body that is a point of contact for employees. The DPO/M acts as a point of contact for any day-to-day matters, assist with handling data subject access requests and data breaches, and any other general inquiries about data protection from your employees or others outside your organisation.
As a data controller, you are responsible for ensuring your employees have an understanding of Data Protection requirements and how they are implemented into your business. All employees need a basic understanding of what personal data is, why it needs to be safeguarded and how to do so. This data protection training is essential, as problems or breaches occur when employees are not aware of the law or how it applies to their role.
To find out what your business offers, most people will visit your website. The same applies to data protection, customers will go to your website to find out more about how you will protect their data.
You should have a privacy notice on your website that will explain to visitors:
what data you collect from them, your purpose for collecting, how you process and store that data, how long you keep it, when and how it is disposed of, the rights of your customers, a contact within your organisation if they have any further questions, and the contact details of the ICO if they wish to make a complaint.
Many businesses mistakenly think their privacy notice only applies to the data they collect from their website (such as cookies), however, the privacy notice should state the personal data you collect from customers to provide your services to them and your ongoing relationship with them.
If your small business has a website, then certain requirements have to be met as you are collecting and processing the personal data of your website visitors. Small text files called cookies are collecting data from your website visitors and using them to monitor their activity online.
Cookies collect an IP address from the user, this is classed as personal data as it can directly identify a user. You are required to give visitors the option to accept, decline or manage their cookie preferences when they use your site. The best way to do this is by the use of a cookie banner.
Get CookieScan, your total cookie management solution.
CookieScan has recently added a data rights function. Data subjects can now enforce one of their data protection rights and contact the website owners directly, submitting a data subject access request, object to processing, asking for data to be corrected, and so on. CookieScan is the first to offer this and combine both the data protection laws and the ePrivacy Regulations, or your own local laws.
Do all companies have to be GDPR compliant?
You must be GDPR compliant if you are either operating in the EU or your customers are based in the EU and you collect personal data. If you operate in that jurisdiction that means that is where your business is based. So if you are based in France for example you have to comply with GDPR.
If your customer is based in an EU country, even if you are not, you have to be compliant with GDPR.
For example, if your company is based in Jersey but your clients or those that visit your website are based in the EU you must comply with the GDPR. If neither of the above scenarios applies to your business, then you do not have to comply with the GDPR.
However, there may be other Data Protection laws within your jurisdiction that you will need to comply with.
Do small businesses need to pay for data protection?
How you choose to reach and monitor compliance with data protection requirements varies for every business. Some businesses choose to source Internally, whereas others choose to employ external data protection professionals to handle their compliance for them.
The benefits of using an external professional: are that they will handle all your data protection needs for you; provide professional advice; and assist you in making needed organizational changes. The size of your business will determine the cost for you to reach compliance.
Why is data protection important to a business?
Data protection though is important to every business. The GDPR aims to protect the right of data subjects to decide how they want their data to be processed. The regulation sets outlaws in place to do this. Noncompliance with the GDPR can put your business at risk of hefty fines! Not only will this affect your business financially, but also your reputation which could be more damaging.
Fines can reach as high as 20 million or 4% of annual global turnover, whichever is higher.
An example of a recent data breach on the airline company British Airways shows the severity of complying with data protection regulations. The airline was fined 22 million for a breach that affected 400,000 of its customers. Hackers got their hands on customers’ names, addresses, log-in details, payment card information, etc. According to the ICO, the attack was preventable, but the airline had not put sufficient security measures in place to protect the data on their systems.
They could have avoided this by investing in security solutions and ensuring they had strict data privacy policies and procedures in place.
What are business privacy laws?
There are a few notable data privacy laws that may apply to your business, this will depend on where your business is based and where your clients/customers are based. The most well knows the law is the GDPR, this is the EU law for Data Protection. Due to Brexit, the UK now have their own law called the UK GDPR, this law closely mirrors the GDPR with some slight changes for it to work more effectively in a UK context, and the Data Protection Act 2018. The channel islands have their own data protection laws also, Jersey has the Data Protection (Jersey) law 2018 and Guernsey has the Data Protection (Bailiwick of Guernsey) Law 2017.
How does the Data Protection Act affect businesses?
The UK Data protection act 2018 was developed as an update to the DPA 1998. As technology has changed and developed over the years, an update was needed to this act to ensure personal data is being used properly and legally in our digital age. Whilst the GDPR affects businesses registered within the EU and any companies handling personal data collected within Europe, the DPA is an equivalent piece of legislation that captures many of the same rights and obligations of the GDPR within the UK.
Data protection legislation applies to any information an organisation keeps on staff, customers or account holders and will likely inform many elements of business operations, from recruitment, managing staff records, marketing, or even the collection of CCTV footage.
What can PropelFwd do to help my business?
Propelfwd is a total one-stop-shop for data protection compliance. The team are all qualified data protection professionals and have experience working with all sizes of businesses in different jurisdictions.
Propelfwd can offer a total compliance package, starting from ‘ground aero’, put in place policies, procedures, training packages, be your outsourced Data Protection Officers or Managers or even your EU Article 27 Representative.