A Guide to Preparing for GDPR for Small and Medium Businesses

by
  • What is GDPR?
  • What are the requirements of being GDPR compliant?
  • What should my company be doing to prepare for the GDPR?
  • The Business Implications of Failing to Comply with GDPR!

What is GDPR?

On 25 May 2018, the General Data Protection Regulation (GDPR)  will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformed set of rules to enforce across the continent.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

It applies to any organisation in the world that contains personally identifiable information on an EU citizen (including UK). If you think that does not include you, it does, as it even includes the staff that you employ.

What are the requirements of being GDPR compliant?

  1. The right to be informed: this includes ANY personal data gathering by companies. Individuals must be informed before data is gathered and have explained in simple, clear language why they should leave personal information and how the information will be used and for how long it will be stored.
  2. Communication & Consent: When dealing with consumers, companies must get clear consent to the processing of personal data. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied. A good guide for advice on gaining consent for both B2C and B2B can be downloaded here.
  3. The Right to Access: This means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
  4. The Right to Have Information Corrected – This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
  5. The Right to be Notified: Companies are required to notify the individual involved and any regulatory authorities of any breach of personal data within 72 hours of the discovery of such a breach.
  6. The Right to Restrict Processing: Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
  7. The Right to be Forgotten: If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
  8. The Right to Object: This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
  9. Profiling: Individuals have the right appeal against the decision when it is based on automated processing and produces a legal effect or similarly significant effect on the individual.
  10. Sensitive Data: Ensure the specific safety for information on health, race, sexual orientation, religion and political views.
  11. Marketing: People should be able to give up direct marketing which uses their data.
  12. The Right to Data Portability: Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.

The Importance of carrying out a data audit and what to include

One of the first steps to get your organisation ready for GDPR compliance should be to conduct a data audit.

When you carry out your data audit you need to be identifying the answers to the following key questions:

  • What data do you hold and why?
  • How do you collect the data?
  • How and where is the data stored?
  • What do you do with the data?
  • Who owns and controls the personal data?
  • Retention and deletion
  • Who is responsible for the data and processors associated with data?
  • Do you have adequate technology / process to adequately manage data processing?

You should identify and document the audit process carried out, detailing how personal data enters, is processed and stored and exits your organisation

This should include data that is being hosted both inside and outside of your organisation if you control it.

Some of the considerations when answering the key questions above are:

What data do you hold?

  • Is it personal data / sensitive data / children’s data?
  • For all historic data, you need to be able to prove how you collected the data, what permissions you have and what it is being used for.
  • You should only be keeping data if you are using it and have clear consent for that use.
  • You need to make sure that you put in place a process for removing any data which does not satisfy these criteria.

How is the data collected?

  • You need to document all the methods both online and offline in which you collect personal data (this may include website, telephone, in person, mobile apps and or third parties)
  • You need to have well documented process of opt in/out statements and privacy policies.
  • There needs to be a process in place to store historic changes to wording and track any future changes.

How and where is the data stored?

  • Document where the data is stored.
  • List what systems and or applications you use to do this.
  • Document how you process the data (are backups kept offsite or cloud based for example?)
  • Check that all places data is stored used have their own up-to-date data policies and that all places you use are clearly mentioned in your data processing policies.

Questions to ask about what you do with your data:

  • How do you process the data?
  • Where do you send it to?
  • What are your grounds and justifications for processing the data?
  • Ask: do you need the data? If you don’t need the data, don’t collect it and store it. If you do need the data, clearly explain to the user why and what you will be using it for.

Who owns and controls the data?

  • Are you a controller or processor of the data?
  • Who has access to it? (A question to ask both internally and externally)

Retention and deletion

  • How long do you keep the data?
  • What is your justification for the length of time you retain it?
  • What is the process for deleting data?
  • Remember: Make sure you have a clear policy on this and a process for implementing it

Who is responsible for the data and processors associated with data?

As well as either an appointed representative or a named data controller, if your company employs over 250 people, it is important that within the organisation there are clear guidelines as to who is responsible for the admin and upkeep of any data related policies.

As part of the audit an ongoing process needs to be identified for historic data as well as newly- collected data.

Do you have suitable technology and or processes in place to adequately manage data processing?

Once you have identified what historic data you can keep and need to keep and a strategy for collecting data the next step move forward is that you need to ensure your technology is capable of doing what you need to do.

Some important considerations to include are being able to deal with, removing data, storing the permission given at the point of collection (including the wording used as well as time, date etc.)

You also need to document your justification for collecting, processing and storing the data and which of the six legal bases (below) you are using to process the data.

Remembering that you could be using different legal bases for different types of data.

The six legal bases for processing data are:

  1. Consent
  2. Legitimate Interest
  3. Contract
  4. Legal obligation
  5. Public interest
  6. Vital interest of data subject

GDPR places greater importance on the documents that data controllers must keep in order to demonstrate their accountability and the data audit should form part of a full IT governance review to ensure that your organisation is GDPR compliant.

GDPR: B2B vs B2C – can you still email your database?

It’s no surprise that there is some confusion as to what the rules when it comes to email marketing and the level of consent you need to email the people in your database. Let’s take a look at the rules from both a B2B and B2C perspective.

The implications will be most significant with B2C, unless you have clear consent from the person opting in, and unless they understood exactly what that data was going to be used for, then you will not be able to use it any more. You won’t be able to use it for email or SMS, or for targeting people on other platforms, such as social media.

For B2B, the rules are a little less strict. You will be able to continue using data for people that have not specifically opted in, as long as it was simple for them to opt out and they understood exactly what their data is being used for.

How do I identify a B2B contact from a B2C contact?

This can sometimes be difficult. But there are a few things you could do:

  • If your business is B2B only, you could exclude B2C contacts from receiving future marketing emails. One way to do this is by segmenting your database email lists and excluding any personal email addresses, such as ‘@hotmail.co.uk’, from your marketing emails.
  • You can add a required field to your sign-up form that asks for their company name. If they submit a company name as well as a company email address, then you know it’s a company you’re dealing with.
  • An issue with the above examples is that sole traders and some partnerships fall under the same regulation as B2C contacts, not B2B. One way to try and get around this situation is to have a field on your sign-up form asking people how many employees work at their company. This information, should then enable you to ascertain as to what type of business they are.

The problem with all of the above is that they can be prone to error. One sure-fire way of staying GDPR compliant is to treat your B2B and B2C contacts the same.

The B2C marketing rules – If you cannot demonstrate clear consent from your database then you really need to stop using the data.

The B2B Marketing rules

In the majority of cases businesses can continue to market to another businesses email address as long as they provide a soft-opt-out option or at least an unsubscribe feature. It is also necessary for companies to identify themselves and provide contact details.

Each company will have different obligations under GDPR. However, in most cases it is likely that an individual’s work email address will be considered ‘personal data’ as it usually includes the individual’s name. In this case “legitimate interest” can be used to as justification to send relevant marketing messages. However, the person would need to reasonably expect to receive such communication from you and if they don’t engage, you no longer have consent. So, you must keep messages business related, relevant and within expectations!

Despite the GDPR impact on B2B communications being less strict than B2C communications, it does not mean that a review of your communications and policies is not needed. As all your business contacts are also consumers in their private lives, it is likely that their expectations will change. If you are marketing to companies via a business contact, it is recommended that you still keep content relevant and timely to match these changing expectations.

Regardless of whether your company is B2C or B2B you should take GDPR seriously. Reviewing the official documents and referring to the ICO (Information Commissioner’s Office) is a good place to start. Lastly if you are uncertain in any way be sure to seek out professional advice.

What should my company be doing to prepare for the GDPR?

The ICO have provided this self assessment toolkit, which has been created especially with small to medium organisations in mind, this will be most helpful for organisations within the private, public and third sectors.

  • ·Instil a sense urgency that comes from top management
  • Involve all members of staff. It is not just up to IT alone to implement and understand the GDPR requirements. Include all departments; marketing, finance, sales, operations – any group within the organisation that collects, analyses, or otherwise makes use of customers’ information. This will ensure they share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with and understand any impact it has on their teams.
  • Conducting risk assessments: It is important that you know what data you store and process and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate those risks.
  • Implement measures to mitigate risk: Once you’ve identified any risks and how to mitigate them, you must put those measures into place. For most companies, that means making changes to existing risk mitigation measures.
    • Hire or appoint a GDPR representative or if you employ over 250 employees a Data Protection Officer (DPO):The GDPR does not stipulate whether the DPO needs to be a discrete position, so presumably a Company may name someone who already has a similar role to the position as long as that person can ensure the protection of personal information and has no conflict of interest. For more information on whether you
    • Creating a data protection plan: Most companies already have a plan in place, but they will need to review and update it to ensure that it consistency adheres to GDPR requirements.
  • If your company is small, ask for help if you need it. Smaller companies will still be affected by GDPR, some more than others. These smaller companies may not have the specialised resources needed to meet requirements. Outside resources are available to provide advice and technical experts to help them through the process and minimise internal disruption.
  • Test incident response plans: The GDPR requires that companies report any breaches within 72 hours. How well the response teams minimise the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond within the time period.
  • Set up a process for ongoing assessment: You need to ensure that you remain compliant, and that will require ongoing monitoring and continuous improvement.
  • Doing all of this will improve your business:  Ensuring and remaining compliant will significantly boost consumer confidence. More importantly, the technical and process improvements necessary to meet GDPR requirements should many organisations to manage and secure data more efficiently.

The Business Implications of GDPR

This new data protection regulation puts the consumer in the control, and every business and organisation have a duty of complying with this regulation

Simply put, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR, so, if your business offers goods and or services, to citizens in the EU, then it is subject to complying with GDPR.

Every company or organisation that work with personal data should appoint a data protection officer or data controller who is in charge of ensuring GDPR compliance.

There are tough penalties for any companies and organizations who don’t comply with GDPR with fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

Conclusion

Data has become a very valuable new currency in this world.

And while GDPR does create challenges and frustration for us as businesses, it also creates new opportunities.

If you as a Company want to retain more loyal and returning customers, then showing that you value that individuals privacy (regardless of any legal compliance), that you are transparent about how you use their data, that you implement new and improved ways of managing customer data throughout your customers life cycle.

The May 2018 is only a few weeks away and if you haven’t already started to take the necessary steps to ensure your compliance then we urge you to start now.

Dedicate time to understand what you need to do in order to become compliant and use the practical tips shared in this article to help you get started. Create a plan of action for your GDPR journey so that when you turn the date clicks over to May 25th 2018 you are relaxed knowing you can answer any of your customers’ questions regarding compliance, with complete confidence.

Have you given thought to how GDPR will impact your business?

And what are you doing right now in order to be GDPR compliant by May 25th, 2018?

Let us know in the comment section below.

Disclaimer: This blog does not constitute any legal advice and as such the content (including any comments and or responses) should be used for information purposes only – we recommend you carry out your own research to ensure that you and your organisation are fully compliant with GDPR.