By Gemma Newsham, pictured above, Regulations Director, Opus Energy
The General Data Protection Regulation is a term which has been on many peoples’ lips for months. Not only is it the biggest overhaul of how personal data is controlled since the Data Protection Act of 1998, it also makes organisations accountable for not only how they manage personal data, but how they secure it too. Whether the business has one or one thousand employees, if they are handling an individual’s personal data, they need to know, among other things, it’s been obtained fairly and lawfully, where it’s located, its purpose, who it’s shared with and that it’s secure. For any business this is a significant administrative burden, but for a smaller firm with limited resources, adhering to the GDPR and the Information Commissioner’s Office’s (ICO) guidelines can be a challenge.
It also seems it’s an issue smaller organisations may prefer not to face. According to information from the Federation of Small Business, just 8%t of UK SMEs are ready for the upcoming legislation. Perhaps more stark is the news that 33% of small businesses said they hadn’t started their preparations.
Thanks to the Cambridge Analytica scandal, people have never been more aware about their personal data; how it’s collected and how it’s used by companies. As a result, businesses (no matter their size) need to be more upfront about personal data-use, and prove to individuals their data policies are compliant to the new guidelines.
This is easier said than done, however. Let’s face it, the term ‘personal data’ is regularly bandied around yet rarely defined, making it hard to know what’s needed, quickly. For anyone working in a small business, taking the time to understand the legislation and then ensure compliance is a difficult ask, as financial restrictions may well prevent the employment of a full-time data protection officer to oversee the task at hand. This initial understanding is crucial, as knowing the ‘categories’ of personal data can help SMEs organise their data correctly. So, for any small businesses still unsure of what needs to be considered before May 25, here are some of the most pertinent requirements set out by the ICO:
- Know your personal data
The GDPR requires businesses to get to grips with what personal data they hold. Firstly, it’s important to define what we describe as ‘personal data’. Under GDPR, this is defined as personal data which can be used to identify an individual. For example, names, addresses, social channel information, cookies, email, mobile phone numbers, dates of birth or location data. However, there’s also a secondary category of personal data which is considered more sensitive. It includes qualitative information a small business might hold on a customer following surveys or personal interactions such as health tests. This can be information including sexual orientation, ethnicity, health or genetic data. Therefore, small firms need to be aware of the special types of personal data they hold on individuals, and potentially, ensure it has higher standards of protection.
Knowing your personal data also spans data captured from social media. For example, customer personal data shared on WhatsApp or Facebook, data shared internally via messaging platforms such as Slack, along with more traditional forms such as CVs. So, small businesses should go through all their files and identify what is classed as personal data and question why they have it (i.e. is it critical to business operations and was it obtained fairly and lawfully). The GDPR now hinges on being transparent and accountable for the personal data it processes, so any personal data that SMEs can’t prove was obtained legitimately may need to be deleted. Yes, large swathes of historic information may be lost, but the new fines will far outweigh the damage done to customer insights.
Overhauling how personal data is collected and identified is one of the hardest parts of GDPR compliance, as it involves a review of historical files. For some SME’s, more on the business to business side, this will be less of a burden due to fewer data files held on individuals but take care over sole traders and partnerships. However, it still needs doing, as suppliers’ names and addresses, coupled with historic employment data could be hiding unawares. Therefore, knowing your personal data is a key step in ensuring small business GDPR compliance.
- Location, location, location
Part of SMEs’ understanding the personal data they control involves knowing its location. For example, a key issue many SMEs encounter is duplicated data, sometimes across multiple servers. This should be addressed. This is because GDPR gives individuals the right to have their personal date corrected and in certain circumstances, to be forgotten. So, if the individual submits a request for their details to be corrected or deleted, it must be done within 30 days or reasons given as to why it can’t be done. For this to be completed successfully, SMEs therefore need to locate the personal data, update or delete it so there is no trace left, and be confident that nothing remains lurking on the system. Duplicated data elongates this process, and also, from an administrative point of view takes up space on servers or clouds. So, it’s in everyone’s best interests to ensure files are not replicated across systems.
- Don’t give away the keys to the castle
Personal data needs protecting, otherwise SMEs could be in for a large fine. The top tier fines under GDPR are €20 million or 4% of global turnover (whichever is higher), which for most small businesses would be an unexpected and potentially damaging expenditure. Whilst these fines would realistically be reserved for companies holding vast swathes of personal data (think international retailers, internet providers or banks), SMEs need to prove they’re doing that which is reasonable and proportionate according to the risk to the individual of the processing they do. Therefore, ensure that adequate cyber protection has been installed and that people know how to use it properly, otherwise it’s like leaving the backdoor open to burglars. Educate employees about personal data – opting in, collection, storage and protection, so everyone across the business – from reception to the CEO, is aware of the changes and is on board. Data protection involves having appropriate technical and organisational measures which means a review and possible update of your technology, process and people behaviour.
- Future-proofing personal data
SMEs also need to consider how they will legally gather personal data in the future, so they maintain compliance. This includes making individuals aware of how their personal data will be used, by explaining the need for its collection, why it’s necessary (such as service provision) and setting out how it will be held securely. This can be covered off in an updated privacy notice.
Ultimately, whilst it is an initial burden, GDPR is a force for good. The Data Protection Act didn’t go far enough to control how personal data is used, and the Cambridge Analytica story brings to light how the use of personal data needed stricter law to help individuals regain control of how their information is being processed by others. You could argue that this law has been a long time coming (just think how many companies have been hacked over the past 12 months), but what’s important is that we, as businesses, help individuals regain trust in how we hold their personal data, and use it to help us deliver a better service to them.
If you need further clarity on how to better manage your GDPR compliance, check out the ICO website for resources and guidance directed at small businesses.