General Business Forum Brought to you by 9 Spokes
Dismiss Notice
Hey Guest, make sure to follow us on Twitter! Say hi and we'll be sure to follow back!

Data laws are changing: here’s what small businesses need to know

  1. General Data Protection Regulation for small businesses
    Christian Annesley

    Christian Annesley Contributor Full Member

    Posts: 3 Likes: 1
    1 |

    Whatever happens with the UK’s Brexit plans, from 25 May 2018 Europe’s General Data Protection Regulation (GDPR) will apply in the UK. It’s legislation that was signalled last year that strengthens and unifies data protection for individuals in the EU – and it’s nothing for business to fear in a world where data is increasingly important.

    Christian Annesley runs through what’s at stake, and how businesses should approach their data management and customer relationships ahead of the May 2018 deadline.

    In May 2018, new data laws will apply in the UK under the General Data Protection Regulation (GDPR). This regulation is intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU and is designed to give citizens back control of personal data while simplifying the regulatory environment for international business.

    If this sounds like a headache, the message from every informed corner is that it doesn’t have to be. It’s important for companies not to view this work as a burden. The experts agree that the legislation is well-framed and is a good jumping off point for those looking to exploit data for commercial advantage.

    The Information Commissioner’s Office (ICO), which is the UK's independent body set up to uphold information rights, has also issued step-by-step guidance for businesses to approach the changes in good time. We’ve distilled the best of the ICO’s guidance and thrown in some advice from experts to get you up to speed even faster.

    Make all decision-makers aware

    With GDPR coming, you should make sure that decision makers and key people in your organisation are aware that change is on the way. Boardrooms need to appreciate the impact this is likely to identify areas that need attention to ensure compliance.

    Alison Deighton, head of data protection and privacy at the law firm TLT, emphasies this point strongly.

    “You cannot just delegate this work to a non-expert. You need to take it seriously and engage the right people at the top of the business. There needs to be boardroom accountability or you won’t have the right data culture.”

    Get started now

    Where to start? One place is to look is your organisation’s risk register (if you have one) that should log, and in broad terms assess, all your business risks. But there could be a lot to do beyond those documented top-line risks. With May 2018 coming up fast the message is very simple: don’t delay.

    Map and document everything

    Deighton at TLT says companies should start with a data-mapping exercise in relation to the relevant parts of the legislation, and review policies and processes at the same time.

    “There are new requirements, too, to tell personal users more about the data you are holding. And all privacy policies on websites will need updating.”

    The ICO says the basic methodology is to document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit, across the organisation, or within particular business areas.

    These changes in the legislation, and the responses it requires, are  partly about updating rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation you will have to tell the other organisation about the inaccuracy, so it can correct its own records. But won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with – so that’s the challenge.

    Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles.

    Communicate your privacy information

    Companies should review current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

    What does this mean? Well, when you collect personal data you currently have to give people certain information, such as your identity and how you intend to use the gathered information. This is usually done through a privacy notice. Under the GDPR there are some further things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and to explain that individuals have a right to complain to the ICO if they think there is a problem.

    This communication needs to be concise and clear, as you would imagine.

    Think about the rights of individuals

    You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

    The main rights for individuals under the GDPR will be:

    • Subject access
    • To have inaccuracies corrected
    • To have information erased
    • To prevent direct marketing
    • To prevent automated decision-making and profiling
    • Data portability

    On the whole, the rights individuals will enjoy under the GDPR are the same as those under the current Data Protection Act – with some significant enhancements - and the transition should be relatively easy.

    Know how to deal with access requests

    You should update your procedures and plan how to handle access requests, including additional information.

    How are things changing? The rules for dealing with subject access requests are altered under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days.

    There will also be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. But if you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.

    You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected.

    Is your data processing legal?

    You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

    The most obvious point to make in relation to the legality of data processing  is that people will have a stronger right to have their data deleted where it’s their consent that is being used as the legal basis for processing.

    Look at how consent was given

    Related to the legal question above, you should review how you are seeking, obtaining and recording consent – and whether you need to make any changes.

    Like the current law, the GDPR has references to both ‘consent’ and ‘explicit consent’. What’s the difference between the two? It is not clear at the moment, given that both forms of consent have to be freely given, specific, informed and unambiguous. But the more you understand about how consent was given the better.

    Know how to deal with a data breach

    You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

    Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board.  Not all breaches need to be notified, but it’s a question of knowing when it is necessary to tell the ICO.

    Get to grips with Privacy Impact Assessments

    You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments. How can you implement them in your organisation?

    You probably need a data protection officer

    Ideally you should designate a data protection officer – or at least someone to take responsibility for data protection compliance and assess where this role will sit within governance arrangements.

    Trading internationally? Be clear about your relevant authority

    If your organisation operates internationally, you should determine which data protection supervisory authority you come under. Mostly this will be the UK, if that’s your head office, but if it’s not quite cut-and-dried it needs to be reviewed.

    We’ll keep you up-to-date with insights on GDPR and its implementation in the weeks and months ahead.

  2. jujupock

    jujupock UKBF Newcomer Free Member

    Posts: 2 Likes: 0
    Great article thanks Christian. Data privacy and information security compliance can seem daunting but there is a great software solution that helps people address the requirements of GDPR. There is a framework to follow to prepare, and then manage compliance on an ongoing basis. It includes tools for the privacy impact assessments, subject access requests and policy creation, maintenance and distribution.
    Last edited by a moderator: Mar 2, 2017
    Posted: Feb 24, 2017 By: jujupock Member since: Apr 26, 2016