When the internet was in its infancy the Data Protection Directive (1995) was adopted as the starting point to help protect our personal data. Since then, the exponential growth of everything online means far greater control over how our personal data is managed has become a necessity; hence the launch of the General Data Protection Regulation, which comes into force throughout the European Union on May 25th 2018.
This might be a good opportunity to dispel a myth; that the GDPR will not apply to the UK once Brexit comes into play. It will. The GDPR will be enshrined in UK law after May 25th, 2018 and will remain so beyond Brexit.
As the May deadline looms closer, the volume of content attempting to explain what the GDPR really means and what businesses need to do in order to comply with the new regulation, continues to increase but very little explains the actual point.
Implementing the GDPR is a daunting-enough prospect for businesses of all sizes and this is worsened by the fact that the regulation applies equally, regardless of business size – it really is the same requirement for everyone; from Amazon to a local Accountant. It won’t be easy, of that there is no doubt, but it’s also both unavoidable and extremely worthwhile, and therefore important to understand how it will impact your business.
To become compliant, larger businesses will infer new responsibilities on existing, if slightly bewildered, staff to ensure effective implementation, either independently or in collaboration with a consultant. Smaller, less-informed, businesses will find it much harder because of their limited resources and the belief that the GDPR probably doesn’t all apply to them.
The new regulation is clear and defined in its purpose and the ICO (Information Communication Office) has information and guidance in abundance. However, much of the content available focuses on the multitude of steps business owners need to take, partly to avoid potentially massive fines, with less of a direct emphasis on the ‘why’.
It’s the ‘why’ that is the basis on which the GDPR is formed.
The ‘why’ is personal data. Not other people’s personal data; YOUR individual, personal data. Specifically; information that may be used in isolation or collectively to identify you as a living person.
Of course, it is really about other people’s personal data and how it’s managed but, if you consider how you would like your own personal data to be managed by others, it instantly gives you insight into why you, as a business owner, need to have processes in place to manage other people’s personal data.
For example, imagine that you purchased some goods from a company online. You know they hold personal information about you such as your name, email address, phone number, home address, delivery address, credit card details, etc., and this is standard procedure, something we’ve all been used to for many years.
However, have you ever considered how the company holds that data? Have you considered whether or not the data is secure? Have you thought about how many complete strangers will share that data, including their suppliers, other staff in their office, delivery companies, online cloud storage services, website developers and hosting providers etc.? Have you considered how each of these third-party ‘stakeholders’ will handle your data; what security measures they have in place and who they might also share the data with – all in the course of normal business?
If not, and you’re beginning to feel a little uncomfortable with how information that can identify you personally is out there, somewhere, accessible by dozens of people whom you will never meet and over whom you have zero control… then this is precisely the reason you should be looking at your own business processes to ensure any personal data you hold on customers, suppliers, staff, subscribers, members etc., is managed and appropriately secured.
Here’s how one set of your personal data might be disseminated from a single online order:
You can see how, from placing a single order online, that your personal data would quickly spread to multiple users within a company and multiple users outside of that company – all so that your payment can be taken and your order processed and delivered.
Under the GDPR the company will need to be clear about how your personal data will be processed and managed.
So, where do you go from here?
The first step is to take a close and detailed look at all your day-to-day working practises. It’s likely you’ll be surprised at how many opportunities exist that could, potentially, find you in breach of the regulation.
Consider the following, for example:
- Do you or your staff ever take credit card information from a customer and write the details down to process later?
- Does anyone in your office have access to staff/employment records, past and present?
- When recruiting, do you keep candidates’ printed or digital application forms and CVs in a folder that other staff have access to?
- Do you keep a printed list of useful contact numbers (staff, suppliers, etc.) for everyone to use?
- Do you share customer order information with third-party suppliers (e.g. for delivery)?
- Do you send your customers a regular newsletter by email or post?
- Do your staff walk away from their PCs without locking the screen?
- Do you have a contact form or newsletter sign-up form on your website that doesn’t tell the visitor how you will manage their information, or that asks their permission for you to process the information they include in the form?
- Does anyone associated with your business (sales staff, admin staff, researchers, etc.) work remotely with a laptop or mobile phone/tablet that contains, or has access to, company information (emails, email addresses, customer details, staff records etc.)?
For many businesses it would not be unusual for all or most of the above to apply, mainly because there have never been any controls in place – and the above is still only a small sample of the ways personal data could be mishandled. If you have answered ‘yes’ to any of the above examples – or any version of them – then you’ll need to create a documented process to change the way you work and, of course, change the way you work!
To reiterate the importance of the above points; think again about how you would feel if any information that could identify you personally was available to people who either didn’t have your permission to see/use it, or had no reason to see/use it in the first place. That is the point of the GDPR, not how much (or little!) you have to do in order to avoid being fined.
Not surprisingly, the ICO is a mine of information. You will find everything you need to know about the GDPR, even if it’s not all in the most intelligible form because of the language and terminology used.
Below is a link to the ICO’s guide to all things GDPR. Even if you don’t read it fully it’s a great point of reference for when you get stuck on something. If you suffer with insomnia, it’ll help that too: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
In summary, if you’re just getting started, here’s a quick to-do list to follow:
- Assign someone to take responsibility for overseeing GDPR compliance activities
- Take a long, hard look at your current security and privacy processes
- Update your third party contracts (suppliers & customers) in line with the requirements of the GDPR
- Identify any personal information that’s being collected through any of your processes
- Review how this personal information is being processed and stored
- Determine all the third parties you disclose this data to
- Create a process for responding to people who request details of the data you hold
- Develop a process for what to do if there’s a data breach
- Ensure you keep your employees fully aware of continuous GDPR compliance
A great place to start is this ‘Preparing for the GDPR – 12 steps to take now’ document: