What Your Small Business Needs To Know About GDPR
29th March 2018
In the digital age, data is king. Every business runs on the data it uses; when making business decisions, advertising to their users or developing new technologies. Until recently, the data laws that protected the general public were from 1998 – a time before data giants such as Google, Facebook and Amazon were collecting the wealth of information on their users on a daily basis.
The EU recognised the need to bring in a new set of regulations to replace the Data Protection Directive (1998) that would recognise the way that data was being used in the modern day, and rectify the problems arising from its misuse. An example is the recent Cambridge Analytica story in which the information from millions of Facebook profiles was gathered and used to interfere with major political events such as the 2016 US Election and the EU Referendum. By implementing these laws, the EU hopes to not only protect the general public from the misuse of their data, but to have a clear set of consistent guidelines for every organisation or individual within the EU.
It’s for this reason that on 25th May 2018, the General Data Protection Regulation (GDPR) will go into force across Europe. It will build on the data protection framework already put in place by the Data Protection Directive, adjusting some of the existing regulations, adding a considerable amount of new requirements for organisations and defining new rights for the individual.
GDPR is a complex set of regulations with many facets, but there are some key aspects that every business should know:
The data your business collects should be only collected with the express, unambiguous consent of the party. Inaction, assumed consent, or pre-ticked boxes will no longer count as consent.
Data Protection Officer
Whenever possible, your firm should appoint a Data Protection Officer to manage and monitor your data governance. In some cases, this is mandatory; if you’re a public authority, regularly monitor individuals as a company or frequently process sensitive data such as criminal convictions or information regarding health, religious belief or sexual orientation. For other organisations, it’s not a compulsory part of compliance, but remains a prudent decision.
New systems should be designed with data protection in mind, and conduct a data protection impact assessment to ascertain if action should be taken. This can be performed internally or through a third party company. Zinc Digital do not offer an analysis service, but can assist with the implementation of necessary actions following your assessment.
Data that will be transferred out of the EU must still be given an appropriate level of protection – this includes personal data transferred under the EU-US Privacy Shield agreement.
Every organisation should know what personal data they handle, and the related data flow.
Data Subject Rights
Your users now have rights that you should be aware of; the right to be forgotten, the right to data portability, the right to erasure and recitication. They also have the right to request the reasoning behind your data collection, as well as any automated decisions. For more information on Data Subject Rights,
Legal Basis For Processing
If you process any data, which the majority of businesses do, you need a legal basis for this. There are six legal reasons for this
- Consent: the user has provided express consent for you to process their personal data for a specific purpose.
- Contract: data processing is required for a contract you have with the user, or because they have requested that you take certain actions before entering into a contract.
- Legal obligation: data processing is required in order for you to obey the law
- Vital interests: data processing is required to safeguard someone’s life.
- Public task: data processing is required for you to complete work in the public interest or for your official functions, and this must have a foundation in law.
- Legitimate interests: data processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a valid reason to protect the individual’s personal data which overrides those legitimate interests. (This does not apply if you are a public authority processing data to perform your official tasks.)
Data Security and Controls
Your company must have sufficient data security controls to protect data. It’s a requirement to report a breach to the ICO or relevant authority within 72 hours, and to the data subject if the breach puts them at risk of having their rights or freedoms compromised.
The principles of the GDPR must be upheld; organisations must ensure that data subjects have control over the protection of their data through transparency, lawfulness, purpose and confidentiality.
The new obligations that will be asked of organisations apply to every business, no matter the size. Previously, small companies were at a lower risk of consequences. Now that the rules are standardised, the ramifications of breaching the GDPR are also standard. Businesses could be subject to a fine of up to 4% of their global annual turnover, or £20,000,000 – whichever is larger. The financial impact of infringing the GDPR could be devastating to a small business. Companies have a responsibility not only to comply with these regulations, but to demonstrate this compliance by documenting their policies and procedures. As standard, your business should be preparing itself to present evidence of compliance in the event of an audit.
For consumers, there are equally important things to consider. Every internet user will have new and comprehensive rights that will change the way the sites they visit interact with them.
The right to be informed – as a user, an organisation must be honest with you about how your data is being used. The information must be concise, simple and free to access, and easily understandable.
The right of access – individuals can receive confirmation that their data is being processed as well as access to the personal data
The right to rectification – if the personal data is inaccurate, users have the right to request that it is corrected both in the organisation’s records, and those of any third parties that the data has been shared with.
The right to erasure – an individual can have their personal or sensitive data erased in the event that they retract consent, or if is is no longer necessary for the original purpose.
The right to restrict processing – In some circumstances, such as a legal requirement to retain data or an objection denied for legitimate interests, organisations must instead restrict processing.
The right to data portability – Users can gain access to and reuse their personal data as they wish, including moving, copying or transferring the data to another environment. This must be provided securely, and in a usable format.
The right to object – individuals can object to their data being processed for scientific or historical research, for direct marketing, and by an official authority.
Rights in relation to automated decision making and profiling – in the event that an automation leads a significant effect on the user, the individual has the right to object to the action, gain human assistance and gain an explanation for the decision.
Zinc Digital is a digital agency that is working with organisations to help achieve GDPR compliance. Whilst we won’t advise you on your own specific GDPR requirements, we can assist you in implementing the actions advised in a third party or internal gap analysis.