GDPR: What is it and how will it affect small businesses?

What is GDPR?

GDPR refers to European General Data Protection Regulation, an EU-wide change to data protection laws. The changes aim to:

1. Give people more control of their personal and sensitive data
2. Simplify the rules so they’re the same across the EU (the UK is likely to keep rules mirroring this post-Brexit).

The rules came into force on May 25 2018 and apply to anyone who controls or processes data, meaning that they are likely to affect most businesses, however small.

The data covered falls into two categories:

• Personal data: This means anything that can identify someone, be it an IP address, physical address or email address.
• Sensitive personal data: This refers to anything from genetic, religious, political or sexual orientation.

Once GDPR is introduced, people will be able to request that an organisation tells them which pieces of their data it holds. They’ll need to be provided this information, free of charge, within one month.

The impact of GDPR on small businesses

Unlike large businesses, small and microbusinesses don’t need to appoint a Data Protection Officer. However, they could be fined up to 4% of their annual turnover for failing to get sufficient consent to collect and keep data. In fact, even failure to keep accurate data records could result in a fine of up to 2% of annual turnover.

It’s fair to say that this subject is complex, however it relies on being clear with people about the data businesses collect and keep. They need to be specific about the information they are taking, what they will do with it and who else might see it. Importantly, people need to be given the chance to positively ‘opt-in’, having made a clear choice that they acquiesce to their details being taken. That means that they shouldn’t be presented with pre-ticked boxes or default options on forms they fill in, for instance.

Records of data consent need to be kept and it should be easy for individuals to withdraw their consent whenever they wish. People have the ‘right to be forgotten’ if they no longer want their data to be held.

GDPR and freelancers

Freelancers, too, need to be aware of the impact of GDPR. As well as the concerns of small businesses (freelancers are, after all, often sole traders or limited companies) there are two other issues to be aware of.

Firstly, businesses that commission work from freelancers need to ensure their data is collected and stored with the same rigour as employees. Too often, this information falls outside a HR system. Secondly, freelancers themselves must ensure they handle data with care and are aware of the policies and procedures of the companies they work with, especially since they might have access to data on a one-off basis.

How to make sure you and your business are GDPR compliant

So, what should you do? The Information Commissioner’s Office (ICO), which will enforce rules in the UK, has issued a list of 12 steps to take now. These are:

1. Make sure all key decision makers in your business are aware of GDPR
2. Document all the data you hold, where you got it from and who has access to it
3. Review privacy notices you issue when collecting data
4. Check to ensure you cover all eight rights for individuals covered by the rules
5. Develop a plan for dealing with data requests
6. Write up a document showing how you’ll lawfully use data
7. Review how you seek, record and manage consent to take data
8. Think about a system for parental/guardian consent for data involving children
9. Have an action plan to react to a data breach (including details of your cyber insurance)
10. Read up on the ICO’s ‘Privacy Impact Assessments’
11. Appoint a data protection officer (if you’re a big business or involved in the large scale processing of data)
12. If you operate internationally, you need to be clear about where your principal base is

For more information on these steps, read the ICO’s guide.