A Small Business Guide to GDPR

The General Data Protection Regulation (GDPR) is a new European regulation which came into effect in the UK on 25th May 2018, overriding the UK’s previous Data Protection Act and providing new rules on how companies are permitted to handle the personal data of their clients.

As the GDPR signifies the biggest shift in data protection legislation in 20 years, it is more important than ever that companies big and small are aware of the new rules and have effective plans in place to ensure they do not fall short of the requirements set out.

This is particularly important as GDPR has not only changed some of the rules, but also imposes more stringent penalties for companies and individuals in breach of the legislation. With fines for breaches set at 4% or €20 million (£17.8 million) of annual turnover - whichever is greater - small companies could take a significant a data security breach is found, not to mention the harm that loss of reputation can cause to a smaller business.

‘Personal Data’ is defined as anything which can be used to identify an individual such as their name, address, date of birth, or even account number or pseudonym used to identify a particular client. In some instances, it may be worth nominating a Data Protection Officer (DPO) to ensure that your company is GDPR compliant.

The GDPR sets out six principles as to how personal data should be collected, stored and used, which I’ll go through in this guide.

1. Lawfulness, Fairness and Transparency

Under GDPR, any personal information held by a company must be collected in a way which is lawful, fair and transparent. Fundamentally, this means that you can only collect information from a client for reasons which are in accordance with any relevant laws your company may be subject to, you must only use the information in the way in which your clients are expecting you to and you should clearly tell people what you will be using their personal information for.

2. Purpose Limitation

Any data collected must be taken with a clear purpose in mind, which has been clearly communicated to the data subject. Their personal information must not then be used in any way other than that specified and should be deleted as soon as the purpose has been completed.

3. Data Minimisation

Similarly, you should not hold personal information that exceeds the information you require to carry out the purpose specified in point 2. This ensures that individuals are not providing more information than necessary, as well as covering you as a company in case of any security breaches as there will be a minimal amount of information available to be stolen.

Data Minimisation also makes it much easier for a data controller to maintain accurate and up-to-date records of clients, in addition to ensuring that anything which is no longer necessary to hold can be deleted efficiently.

4. Accuracy

Naturally, companies should ensure that any information they hold is as accurate and up to date as possible. Should it be discovered that you are holding any inaccurate or incomplete information, the GDPR states that “every reasonable step must be taken” to correct this as swiftly as possible. Furthermore, a data subject is entitled to request any inaccurate or incomplete information be either corrected or deleted within 30 days of noticing the error.

5. Storage Limitation

Similarly to some of the other principles, GDPR states that information must only be held for as long as it is necessary. This means that as soon as its purpose is complete, the data should be deleted.

There is an argument that companies “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?” Unfortunately there may not be a clear-cut answer to this question for some time due to the nature of new legislation, however if you are in any doubt as to whether you should still be holding someone’s personal information, the safest thing to do is consult a legal professional or simply delete the data if you cannot see a legitimate reason for continuing to hold the information.

6. Integrity and Confidentiality

In accordance with GDPR, any personal information held by a company must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

This essentially refers to how data is kept protected and secure whilst being stored by a business. Considerations such as firewalls, encryption and passwords come under this principle, as can restricting the number of employees who are able to access personal information.

It is also important to ensure you have a thorough recovery plan should the worst happen, in addition to making sure you report any security breaches as swiftly as possible.

This section of the legislation is deliberately vague, as the GDPR states that “measures should ensure a level of security appropriate to the risk,” which can vary depending on the type of information you are storing as well as the purpose of this information.

Is your Business GDPR Ready?

Now that you have some understanding of the responsibilities imposed on you and your company by GDPR, it is important to think about how these will affect you in the day-to-day running of the company.

A good place to start is to create a checklist which you can match against the information being held. This should be looked at and updated regularly to ensure continued compliance with GDPR for all data subjects.

To make things easy, you can use our template below as a starter.

  • What personal data do we need to collect?
  • Why do we need this information?
  • Are we collecting anything in excess of the needs we have outlined?
  • Would the individual to whom this information relates understand the purpose of the information and why we are taking/holding these details?
  • Do we have appropriate security measures in place and what are we doing to ensure only those who need to access personal information are able to?
  • Do we have a sufficient backup protocol and recovery plan should anything go wrong?
  • Do we require a Data Privacy Impact Assessment or Data Privacy Officer and if so, do we have one with the required training and expertise to carry out their duties in accordance with the guidance set out by GDPR?
  • Do we have procedures in place to swiftly update or delete personal information if requested to do so, as well as a clear system as to how an individual can put forward a Data Subject Access Request (which, under GDPR, must now be provided within 30 days of the request with no fee charged for this information)?
  • Do we have a detailed system for regularly reviewing personal data being stored to ensure it is fit for purpose?
  • Is our Privacy Policy up to date, taking into account the new legislation, and easy to find should a client wish for further details on how their information is collected, processed or stored?
  • Do we have an adequate reporting protocol to detail how we handle personal data in accordance with GDPR?
  • Do we share personal data with any countries outside of the European Union and, if so, do we have adequate protections in place to ensure the continued safety of client information?