The Data Protection Act of 1995 is being replaced with General Data Protection Regulation (GDPR) from May 2018. There is a lot of talk about the changes and some untruths going around, so here at QBH we like to take some of the hot-air out of these things and present you with some facts, and a little guidance on your accountabilities.
Dispensing with one myth immediately is that somehow this doesn’t apply to you if you are a small business – it does! However, if you have less than 250 employees;
• you need only document regular processing
• processing that is high risk
• or involves special categories of data.
These are the only dispensations!
Mythbuster two; you do not need anyone and everyone’s written permission to hold their data! Whilst giving ‘Consent’ does apply to some marketing activities, many of a business’s day to day processing responsibilities are not conducted using Consent as the Legal Basis and are unaffected.
I’m getting technical, sorry. But it is important to understand that much of the fuss about GDPR is around ‘Consent’, which is admittedly where most of the new legislation is going to make an impact, but it is also only One of Six different Legal Bases for holding and processing information. A tiny part of a huge EU Directive. Here is our guide to the rest……
1. Information Audit – This is your starting point, ask yourself what personal data does your business hold and what do you do with it? For each set of data you should consider the security levels too.
2. Legal Basis – Now you know what information you have, what you do with it and how often, you need to identify the most appropriate Legal Basis for that processing and document it. A simple register is adequate. It is very important to get this element right first time. You then create a Data Protection Statement, known as a Privacy Notice and have this available for anyone to view.
3. Consent – One of the Legal Bases for processing information is Consent. This is where the big changes are happening. Think ‘tick-boxes’ for marketing. Someone is completing their details on a website, to place an order perhaps; we are used to accepting that our details will end up on a database somewhere to be marketed AT. No more. The control to not Consent to this kind of activity is now in the hands of individuals, and we will all be grateful for it!! That is not to say you can’t do it anymore, but your request for Consent needs to be clearer and well-defined.
4. Data Subject Rights – Everyone has the right to access information that is held on them, and businesses should have a procedure for dealing with such requests, but that is not new to these regulations. You will have heard about the Right to be Forgotten – there is likely to be a spike in such requests but it is not applicable to data that has been processed to comply with the Law. Many general business marketing activities will be conducted as Legitimate Interests; provided you have an ‘unsubscribe’ option, you are compliant.
5. Registering with the ICO – Not necessary for everyone, but voluntary registration can be a good indicator to your customers. Appointing a Data Protection Officer isn’t an obligation on all businesses, but it could be worth considering an externally contracted DPO if you don’t have the resources within your business to meet the GDPR requirements.
We hope you found this useful but if you would like any assistance in understanding how the regulations apply to the information in your business, please do not hesitate to get in touch. We are developing systems that can be customised for your business, and we are happy to spend time with you to get it right first time.
01303 297034 / 07795 564089
HR & COMPLIANCE DOESN’T HAVE TO BE ROCKET SCIENCE