GDPR: a guide for business
6th November 2017
Data protection is a hot topic at the moment, thanks to recent cyber-attacks on everything from celebrities’ cloud storage accounts, to the client records of multinational banks. Protecting your personal data has never been more important.
In response to these cyber threats, and as a result of the vast amounts of sensitive information now stored in digital format by businesses and individuals worldwide, the government has decided that something needs to be done to ensure the security of our personal data. That something is the General Data Protection Regulation (GDPR).
GDPR is an EU law, but if you’re hoping it won’t affect us post-Brexit, you’d be wrong. The UK government has vowed to adopt GDPR and enforce it whether or not Britain remains in the European Union.
The Information Commissioner’s Office (ICO), which is an independent authority set up to uphold information rights in the public’s interest, has lots of resources on its website about data protection reform and how businesses can prepare for the change in legislation, which will come into effect on 25th May 2018. There’s even a 12 step plan and a checklist to help you make sure your business is handling personal and sensitive data in a legal and ethical manner.
As GDPR is a “living document”, it will continue to change and grow along with advances in technology and the needs of the general public. The current understanding is that “data controllers” (those who store personal data) and “data processors” (those who use it) will be responsible for ensuring that their marketing mail recipients have double opted in to be contacted (e.g. by submitting their contact details on a webform and then clicking a link in an email to confirm), and that any data stored is reasonable and necessary. For sensitive data (such as that held by the healthcare industry), the expectations are even higher, and there will be a time limit on the storage of this type of information, as well as a clear and defined need for it to be collected.
Under the new regulation, you won’t be able to blame your suppliers for mishandling your data, so if you use a marketing agency or other company to disseminate information to your clients and prospects you’ll need to closely monitor your suppliers’ activities. It’s expected that indemnities between businesses with data transfer relationships will become the norm, so make sure you’re protected from the get go.
If you already have a database full of contacts, but you’re not sure if they have double opted in, don’t risk falling into the same trap as Honda and Flybe by sending a mass marketing email out asking them to confirm they’re still happy to be contacted by you. Despite arguing that the emails were customer service messages to help them comply with GDPR, the ICO ruled that they were in fact marketing messages and fined the two companies a combined £83,000.
The main change that will impact on SMEs is the reduced timescale for responding to Freedom of Information (FOI) requests. In the past, companies had 40 days to reply with the relevant information, this has now been halved to 20 days. Any request for information falls under the Act, whether it mentions the Act directly or not, and therefore must be handled correctly and in a timely manner.
If you’re not sure what counts as a valid request, here are the standard expectations:
- It must be in writing. This can be by email; letter; even social media if your company has an account.
- It must include the requester’s real name and an address for correspondence. This can also be a postal or email address. Requests can also be made on behalf on another, for example by a solicitor, or in the name of an organisation.
- It must describe the information requested, although any genuine attempt to describe it will be enough to trigger the Act. Claiming the description is too broad or unreasonable will not be accepted as a reason not to comply.
And that’s it. Requests don’t have to be made to a specific employee or department, even if you have a Freedom of Information officer, so it’s essential that all your staff are made aware of their obligations under the Act.
As part of your preparation for GDPR you might want to organise some training for all employees to ensure your business is compliant with the new regulations. At the same time, you could undertake a data audit to clarify what types of information you hold and ensure that it is all relevant and necessary.
If you need any advice about your GDPR responsibilities or organising a data audit, get in touch with us to find out how we can help.
What are your thoughts on the upcoming data protection regulation changes? We’d love to hear from you, leave a comment below or join the conversation on Twitter.