Disclaimer: GDPR (General Data Protection Regulation) is a very large and complicated piece of legislation. I’m not a lawyer. The information in this article is absolutely not legal advice and I cannot be held responsible for its accuracy. Details of where to get the legal information can be found at the end of this article. However, the information provided will give you a starter for ten and give the most up to date information I can find…as at January 2020.
GDPR (General Data Protection Regulation) came into force on 25 May 2018 for European businesses. As a small business, I read everything I could get my hands on to ensure that my business was compliant; 19 months on, there are still hundreds of businesses that don’t comply or who simply don’t know how to.
Although the UK is leaving Europe, if a business has any dealings with European countries, or has customers in European countries, they will still be subject to GDPR, so it’s vitally important to understand what you need to do to comply. I know that you’re probably glazing over now and may think it doesn’t affect you and who’s going to know if you comply or not, but small businesses are being investigated and questions are being asked, so it’s worth making the effort to ensure that you are covered…and it’s not too difficult to get your head around.
How do I know if my business is impacted by GDPR?
Basically, if you control or process any kind of customer personal data then your business is impacted. This could be as simple as keeping your customers’ names and addresses, telephone numbers, IP addresses. Obviously some businesses will keep a lot more, such as medical information, bank account details etc.
GDPR is just about protecting those individuals, (your customers) from having their data fall into the wrong hands. The two key principles are that businesses must have appropriate, legal reasons for processing personal data and a business can only collect personal information for a specific purpose and it is only to be used for that purpose.
The good news is that for businesses with fewer than 250 employees, you are not required to keep records of your processing activities, unless it is regular activity, concerns sensitive information or if the data could threaten someone’s rights.
Most of us who have a small business hold some form of personal information about our customers – it might just be an email address or name and postal address, so there are some things to do to be GDPR compliant. There are very steep fines for those who don’t.
How to comply
- Your responsibility
There are two words to describe the person who is collecting and processing data…
Data Controller – the person who decides how and why personal data is collected. This is usually the business owner, as in my case. This person must ensure that the business is compliant, including transparency, data storage, data confidentiality and accuracy of data collected and stored. The Data Controller is also responsible for reporting to the Information Commissioner’s Office (ICO) if a data breach occurs or if data is lost or stolen from your business..or report to CNIL if you are in France.
Data Processor. This person (in my case it’s me too as I don’t have any employees!), is responsible for processing personal data, which includes anyone who has access to your customers’ personal information and uses it – say, for creating and sending marketing emails or sending out your newsletters to your customers. The Data Processor is responsible for ensuring data is processed in line with GDPR requirements and they should record processing activities, as well as ensuring appropriate security of the data they handle.
- You need to understand your data
– Do a thorough check on all the data you keep on your customers (and employees if you have them) – both past and present.
– Decide how much data you really need. GDPR states you only need to hold data that is absolutely necessary, and for as short a time as possible. If you have old Excel spreadsheets with old customer data, you could be falling foul of the rules, so get rid of anything you no longer need.
-If you have data that is defined by GDPR as ‘special categories of personal data’, you must have explicit permission from that person to hold that data about them. This includes political affiliation, religious beliefs, sexual orientation, trade union membership, racial and ethnic origin. The reason you must have permission to keep this data is that if it got into the wrong hands, it could be misused to discriminate against an individual.
– You need explicit consent from anyone whose information (no matter how much or how little) you are going to store.
You must get clear and explicit consent from your customer that they are happy for you to obtain and store their personal information. It must be clearly explained what personal information you want to collect and why, and how it will be used. The individual must agree and if they don’t, you must not collect and store their data under any circumstances. This includes conditional data collection, such as where you offer a freebie on your website to get people to sign up to your newsletter and then use that data for marketing your products or services.
You must be able to show that you have obtained consent for the data you hold. Not having a record of consent leaves you open to fines.
You must also provide an easy way for your customers to opt out of anything they’ve agreed to in the future. So, for example, if you send out a newsletter, there must be a box or email address shown that clearly states that the customer can unsubscribe to it at any time.
- Old data
If you already have a database of customers and their information, or you take over a business from someone else, including their customers, GDPR requires you to re-consent all of those customers. This means you must contact every single customer you have information on and ask their permission to continue to store and use their data.
If they do not consent – and this includes anyone who does not respond – you must delete their data.
The same applies to any old data you have on anyone – if you no longer need it, it must be deleted.
For us small businesses, you need to have a policy that states how long you will keep a customer’s data if they are not continuously engaging with your business. For example you could say that any data you hold will be deleted after 12 months, if that customer has not engaged with your business during that 12 month period.
It’s a good idea to set up regular data reviews to ensure data is not kept longer than necessary.
- Data storage and security
GDPR covers data, no matter where it is stored – be it on email, in customer databases, mobile phones, cloud-based service etc. As a small business, you need to create a data processing and storage policy. This should specify where customer data is secured, how it is protected, such as encrypting data and securing your website with SSL, and who has access to it (most likely your data processor to get email addresses, names etc) and for what purpose (could be to send out a newsletter for example).
If you transfer data from one person to another or share with third parties, you need a plan for how the data is moved (such as on a USB stick or laptop) as this is a huge risk – having data encrypted can help alleviate the risk, but my advice would be – don’t move it!
- Large businesses need to appoint a Data Protection Officer, but for the purpose of this article, talking to small businesses like myself (less than 250 employees), we would be exempt from this.
If you do have employees, especially if they have access to customer data, they need to be trained on data handling and security.
- Requests for access to data
Any EU citizen can request access to all the data you hold on them – known as a Subject Access Request (SAR). This can be anything you hold, from name, address and email address, to any references made to them in email messages, websites, electronic notes etc. If you’re a small business, this won’t be too difficult, but for huge businesses, it would be very time consuming to go through hundreds of documents and data entries. That’s why it’s so important to know what you hold on your customers and where. If a customer makes a SAR, you have 30 days to comply, so good to have a plan in place.
- Are your suppliers GDPR compliant?
Small businesses often rely on contractors and suppliers. Even if your business is GDPR compliant, you must ensure suppliers and contractors are also GDPR compliant.
Please note: Small businesses are exempt unless you’re working with a larger business that has more than 250 employees, in which case you can fall foul of GDPR if the larger business is not compliant. The quickest way to find out is to ask suppliers to complete a GDPR compliance form detailing how they handle data, security and storage procedures…and what type of data they handle. You can send them a GDPR compliance checklist for small businesses for them to complete. Ensure contracts specifically refer to a supplier or contractor being GDPR compliant. Include the right to audit their business if needed, such as making an on-site visit to review their data processing arrangements.
- Create data processing notices
Data handling must be fair and transparent, so you need to create a document explaining how your business deals with data. Known as Fair Processing Notices (FPNs). It all sounds complicated but an FPN is just about giving people clear information about what you’re doing with their personal data.
You FPN should describe why you are processing their personal data, including that you have their consent via an opt-in or sign up to a newsletter for example.
If you are sending their personal data to a third party, such as another customer, employee, supplier, you need to state this on the FPN.
You also need to say how long you will be holding onto their data, known as the ‘retention period’.
Finally, you need to state that all your customers should be aware of the existence of their personal data rights – this should be pointed out to your customers.
For more detailed information on GDPR…
Click here if your business is in France (in English!)
Click here if your business is in the UK.