W elcome to our quick-start guide to the General Data Processing Regulation (GDPR). This summary is an abbreviated version of our detailed GDPR Deep Dive and aims to give you a head start on what the GDPR will mean to your small or medium sized business (SME). We'll give you all the vital info and bust a few of the most common myths along the way.
So, what is the GDPR?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It harmonizes data protection laws across the EU to allow countries to interact in the certainty that their citizens' data will not be compromised by differing regulatory requirements.
In essence, the GDPR transfers the ownership of an individual's data from the organisation holding that data back to the individual.
The GDPR can be thought of as comprising of two main parts:
- A series of rights for the individual
- A set of principles for how businesses should process individuals’ personal data
Who does the GDPR apply to?
The GDPR applies to any business or organisation that processes EU citizens' personal data, no matter where that business is located.
Myth 1: The GDPR does not apply to small and medium sized businesses
This is absolutely not the case, the GDPR applies to businesses of any size, although there are some data-processing record-keeping concessions for businesses with less than 250 employees.
What data does the GDPR apply to?
The GDPR applies to data about an individual, which it calls 'Personal Data'. Roughly speaking, any data that can uniquely identify a person is counted as personal data.
The data doesn’t have to be as explicit as say, the individual's first name and last name, it could be something like ‘sales manager’ at a company if there was only one person in that role at a given time, as the role could then be linked back to a person when combined with other data that’s likely to be in the public domain.
Myth 2: The GDPR only applies to data about customers/users
GDPR applies to any personal data about any individual you hold, regardless of the relationship. So, it includes individuals working for customers, suppliers, partner organisations and even your own staff.
The rights of the individual after May 2018
From May 2018 individuals will have rights on their data within your organisation as follows:
- The right to know how their data will be used and for it to only be used in ways they are expecting
- The right to ask you what data you hold on them, what you are doing with it, what you have done with it and how long you intend to retain that information
- The right to have any inaccuracies in their data corrected across all systems immediately
- The right to be forgotten from all of your systems
- The right to say no to their data being processed in certain ways
- The right to request all the data you hold on them in a portable electronic format they can take elsewhere
- The right to human intervention in any automated profiling you are conducting on them
There are a lot of implications to the above, but what’s very clear is that you will need to know exactly what data you have in order to fulfil any of those rights, which at the least means a complete data audit of every filing cabinet, spreadsheet, Word document, email and software package.
The data processing principles your organisations must comply with
To ensure the individuals’ rights are maintained, the GDPR lays out an explicit set of data processing principles that organisations must comply with when processing individuals’ personal data:
- Lawfulness, fairness and transparency
- Collected for a given reason and not used in other ways
- Data minimisation – only gather the data you need
- Kept accurate and up to date
- Only kept for as long as actually needed
- Kept secure and processed securely
- It's your responsibility to prove you complied
That list has many upshots; the need for data security is paramount (especially when you consider the fines discussed later), but much more than that it means that as well as knowing exactly what data you have, you also need to know how you got that data and what you are entitled to use it for. You also need a process for culling old data; automated where possible and manual where not.
Myth 3: It’s OK to have personal data if we don’t use it
The GDPR explicitly states that data collection is form of data processing. The ICO has also confirmed this is the case to us.
Does this mean you need consent for everything?
Whether you actually need consent from an individual to store and process their data is one of the most misunderstood parts of the GDPR. There are many articles out there stating that you'll need 'consent for everything' after May 2018, but this is simply wrong.
Consent isn't an aim of the GDPR, the goals of the GDPR are to protect the rights of the individual and ensure their data is processed in line with a series of principles. Consent is simply one of the mechanisms by which data processing becomes lawful, but is by no means the only one.
Myth 4: You need consent for every bit of personal data.
You do not need consent to perform the data processing required to complete your primary reason for interacting with the individual.
You are also allowed to collect and store data for a number of other reasons without gathering consent, such as to fulfil your statutory requirements.
If you’re selling widgets, you don’t need consent to collect the person’s name and address so you can deliver the item (that’s fulfilling your primary contract) and you don’t need consent to store that data in your accounts package, as that record keeping is part of your statutory requirements.
One area that may be surprising is direct marketing, which is mentioned specificly in the GDPR and is allowed without explicit consent.
Myth 5: You can no longer market to your customers under the GDPR.
The GDPR specifically permits direct marketing to individuals you are already interacting with.
If you do want to process an individual's data in way that's outside what's required to fulfil your primary contract with them it's important to note that you must now seek their explicit opt-in for each additional way you want to use their data. Gone are the days of pre-ticking the consent box or burying consent in the terms and conditions.
Can't I just ignore it, won't it go after Brexit anyway?
The UK government have already confirmed that the GDPR will continue to be enforced post Brexit, and even if a subsequent government repealed the law any business that trades with Europe would still need to comply with the GDPR.
Myth 6: The GDPR won't apply in the UK after Brexit.
Even if the GDPR was repealed in the UK, any business trading in the EU, or interacting with employees of EU businesses would still need to comply
Ignoring the GDPR altogether might seem a tempting option, but this law has real teeth: The maximum fine for a breach of personal data is 20 million Euros or 4% of global turnover in the last financial year whichever is the greater and you are legally required to report all data breaches under the GDPR.
TalkTalk's much discussed 2016 fine of £400,000, imposed due to security mistakes that allowed hackers to access customer data, would be a staggering £59m under the GDPR.
What does this mean in practical terms?
In essence, the GDPR requires that you know:
- What data you hold about people
- What you have permission to use that data for
- How long you can justify keeping that data for, and how old it is currently
Essentially that means you need to know what data is stored in every software system, spreadsheet, report, email and filing cabinet. And you need to know how and when you obtained that data. And that includes all the data you already have.
As few of us will know the origins of much of our data, we will need to get rid of all of the data we find that we no longer need and then go back to customers to seek permission to use their data for anything other than the permissions that were implicit by the nature of the core activity they undertake with our business.
Additionally, we'll need to ensure that the data we have is kept safe. For paper data that means preventing unauthorised access to printed records, and for electronic data that means secure IT networks, data encryption and perhaps most imporantly off all, staff training to raise awareness of data security.
Want to know more?
This page is only scratching the surface of the GDPR. There's lots more to read in the Detailed Guide to the GDPR on this website and we'd also strongly recommend going and reading the actual regulations, the first 30 pages are in plain English and do a good job of explaining the intent of the law.