Since May 2018, every business in the UK has had to abide by General Data Protection Regulation (GDPR).
And we’re not going to lie, GDPR can be pretty hard to get your head around if you’re not a legal expert, but it’s really important your business is complying, and you know what you need to do.
We’ve put together this guide to help you understand everything you need to know about GDPR and ensure you’re operating your business within the bounds of the law. If there’s anything on here that you’d like to discuss in more detail, please contact us.
What is GDPR?
GDPR is a new set of data privacy laws that were implemented across Europe to help protect individuals’ personal information.
The new regulation replaced data protection rules that were set nearly two decades earlier – long before people began sharing their personal information online so freely.
GDPR has been designed to give greater protection and rights to individuals in the digital age by limiting the way businesses and organisations can handle and use the information they gather from those that interact with them.
It provides people more access to the information companies have stored about them and limits what organisations can do with their personal data.
It also helps ensure more trust between consumers and the companies they buy from.
If a business is caught breaching GDPR, it will face a hefty fine. If you’re suspected of deliberately breaking GDPR rules, you could even face prison time.
What is classed as personal data?
Given that GDPR is all about personal data, let’s define exactly what that is before we delve into the details.
The data you collect on your customers is considered personal if it relates to a specific person’s:
Your employee records, customer details and business contacts will all involve some of this information in some way. That means they’re protected by GDPR.
Does GDPR apply to me?
GDPR applies to every business that has customers, employees, or clients in the EU.
The UK government has also confirmed that it will be following GDPR after it leaves the EU, so Brexit won’t affect the way you need to interact with your customers’ personal data.
However, GDPR doesn’t apply to every organisation equally. You need to answer two questions to understand what your specific responsibilities are:
Do you have 250 or more employees?
If you have 250 or more employees, you need to hire a Data Protection Officer to ensure you fully comply with GDPR at all times.
If you have fewer members of staff, this isn’t something you have to worry about.
Are you a ‘data processor’ or a ‘data controller’?
GDPR draws a line between a ‘data controller’ and a ‘data processor’ to recognise that not every organisation involved in the processing of personal data has the same amount of responsibility.
An organisation is a data controller if it decides why and how personal data is processed.
A data processor, on the other hand, is an organisation that processes another business’s personal data on its behalf.
For example, if you pay your staff through a payroll handling company, your business is the data controller and the payroll company is the data processor.
Because data controllers are responsible for how the personal data they have on record is used, they have greater responsibilities under GDPR; they not only have to follow GDPR rules themselves, but they need to make sure any data processors they use do as well.
If either they or their data processors breach GDPR, data controllers will be punished.
What are GDPR’s seven key principles?
GDPR is based on seven key principles, which are:
While these principles aren’t rules in and of themselves, they’re the foundation which the data protection laws stem from.
The Information Commissioner’s Office (ICO) recommends that “these principles should lie at the heart of your approach to processing personal data”.
So, if you’re in doubt, use these principles as your North Star when making any data protection decisions.
Individual’s rights under GDPR
GDPR provides individuals with the following eight rights:
If you stick to your responsibilities as a business owner, you won’t infringe on any of these rights.
What do I need to do to make my business GDPR-compliant?
Now that you’re clear on what GDPR is, how it applies to you, and what the core principles are, it’s time to cover exactly what you need to do to ensure your business complies with these data protection laws.
Data protection by design and default
‘Data protection by design and default’ – commonly known as privacy by design – has always been a key part of data protection laws, but under GDPR it’s now a legal requirement.
To comply with data protection by design and default, you need to create your business practices, websites, and data handling processes with privacy and security front of mind.
Practically speaking, this means you need to follow the ICO’s data protection by design and default checklist.
These guidelines include steps like adapting a ‘plain language’ policy for all public documents so people can easily understand what you’re doing with their personal data and offering strong privacy defaults.
Getting GDPR-compliant consent
The key pillar of GDPR – and the main thing you need to worry about as a business owner – is that you need to get legal consent to store and use people’s personal data.
Under GDPR, for consent to be valid it needs to be specific and informed, freely given, and unambiguous.
For consent to be freely given, users shouldn’t have to consent to have their personal data tracked in order to browse a website. Their consent must be given freely under no obligation.
And for consent to be unambiguous, a person needs to opt-in to allow you to track and use their personal data.
To ensure your business is getting GDPR-compliant consent, it’s therefore your responsibility to ensure your website only features active opt-in functions.
Under GDPR, consent can’t be given through checkboxes that have been pre-ticked in webforms or notices – a user needs to actively click a button or tick a box to say they accept cookies being tracked or that they want to be added to an email list.
The only way for a user to consent to receiving emails from your business, for example, should be to tick a box that opts them in to receiving emails from your business.
This checkbox can’t be pre-filled – users must actively check it.
According to GDPR guidelines, your requests for consent also need to be unbundled. That means you need to separate individual consent requests. For example, when asking customers if they’d like to receive communications from your business, you need to provide separate checkboxes for being contacted through email, post, and SMS.
You must do this through a consent form that appears as soon as someone lands on your site.
Sign-up pages and contact forms
You always need to provide people the opportunity to review your data handling policies before they submit any personal data.
GDPR also requires you to keep a record of all consent given to you by your customers and how you obtained that consent.
Your records must include:
A customer can withdraw their consent at any time. If they do so, you need to record that they withdrew their consent and remove their records from your files.
GDPR guidelines state that it should be as easy for someone to revoke their consent as it is for them to provide it in the first place. In practice, that means that you should provide easily accessible privacy settings and an option to unsubscribe from your newsletter with each email.
If a person does revoke their consent, your use of their personal data up until that point is still legal. You just have to remove their personal data from your records as soon as possible.
What to do if a customer submits a Subject Access Request
Under GDPR, people have the right to find out what an organisation knows about them.
They can obtain this information by submitting a Subject Access Request (SAR).
If someone submits a SAR to your business, you’re legally obligated to provide them with a copy of all their personal data your organisation has on record within a month.
A customer can make a SAR either verbally or in writing to any person within your organisation. This doesn’t have to be formally submitted as a SAR – if someone asks for a record of their personal data over the phone or on social media, you have to provide it to them.
If you receive a SAR, you’re obligated to provide the requester with a copy of all their personal data that you have on record, details about why you were processing this information and how the information is being used, and information on how long it will be kept for.
If you only have your customers’ names and contact details on file, this will be a relatively painless process.
Large tech organisations, on the other hand, have had to give all their users access to their personal information through a user portal. For example, Facebook, Google, and Twitter all allow their users to access all their personal data directly through the settings of their accounts.
What to do if you suffer a data breach
If the personal data you have on record is breached, you’re required to inform the EU supervisory authorities within 72 hours under GDPR.
If you’re a data processor, you must inform the data controller whose data has been affected immediately.
If you fail to do so, you’ll suffer severe penalties.
You therefore need to have a clear plan in place in case so that everyone within your business knows the processes to follow if you do suffer a data breach.
Register for the DABS programme today.