MAKING SENSE OF GDPR
Updated: Sep 7
The GDPR legislation has been around for 3 years now. But are you doing enough as a business to remain or even become compliant? Here's our 2021 update to help bring some clarity to the legislation, including what it means for business owners, and where to start.
What is GDPR?
Put simply it’s EU legislation implemented in 2018 to protect the data of individuals. Following Brexit, the UK has adopted the legislation as their own and it is known natively as “UK-GDPR”. There are six key principles of the legislation and here's how they affect you as a business owner. 1) Lawfulness, Fairness and Transparency
This is relatively self-explanatory in that businesses should be ensuring their data collection, processing and storage is lawful and they aren’t hiding anything. You need to have a good understanding of the GDPR to comply with this obligation.
To remain transparent, you should have a Privacy and/or Data Protection Policy which includes, but is not limited to, the type of data you collect, the reason you collected it and what you intend to do with it.
2) Purpose limitation
You should only collect personal data for a specific purpose and state what that purpose is. Another important consideration is that you are only collecting data for as long as necessary to fulfil that purpose.
3) Data minimisation
Any data you do collect must be adequate, relevant and limited to achieve the purpose for which you are processing it. If you always have this in mind then it will limit the data that is available in the event of a breach. This also assists in keeping the data accurate and up to date.
Keeping your records up to date and accurate is crucial to comply with your data protection obligations. The GDPR states that “every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay”.
5) Storage limitation
Personal data should only be stored for as long as necessary. This is very broad and differs from business to business. It could be argued that you can reasonably keep the data for as long as that person is a client. However, how long will they be classed as a “client” after they have used your services, or ordered that product? Data retention is therefore very important and having a data retention policy is the best way to establish what types of data you keep and for how long. You and your staff should refer to this at set intervals throughout the year and “cleanse” your data in line with the periods set out in the policy.
6) Integrity and Confidentiality
This principle deals specifically with security. All data must be processed in a manner that ensures appropriate security of the personal data. To do this you should be using “appropriate technical measures”. What this essentially means is you should have consideration for the protection of the data on your devices and computers. Are you using up to date anti-virus software? Is the operating system on your device up to date? Do you anonymise data where possible? Do you use passwords to protect your devices and computers?
How do I ensure I'm compliant?
Essentially it’s about making sure you have the correct tools, policies and processes in place. Don’t rely on templated documents as these won’t ensure compliance. Every business is different and has its own way of doing things. As such, your data protection policies should be tailored to your specific business needs.
A good starting point is to take action by mapping your data. Understanding how your data moves within your organisation will help you identify areas which could cause you problems. Remember, personal data can only be processed if you can rely on a legal basis to do so. The GDPR provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. As a business you will probably end up relying on a few of these when processing data. You need to establish which ones you will use and consider them each time processing takes place.
If you’re a larger organisation then staff training is imperative to ensure your employees understand the basic principles of the GDPR.
Also, don’t forget about your website as this often gets overlooked when organisations implement data protection processes. If you are collecting data through your website then legally you need a Privacy & Cookies Policy and a compliant cookies pop up. You would be surprised how many websites aren’t compliant. Not just small organisations either, even the big corporate well-known businesses are often inadequately protected.
Registration with the Information Commissioner’s Office (“ICO”) is a must, 99% of businesses are required to register. Clients have contacted us recently to say they have received a letter from the ICO because they aren’t on their register. The annual fee is minimal: If you fall into tier 1 then it’s £35 if you pay by direct debit and £40 otherwise.
Know your deadlines
An important point to note regarding data breaches is the strict reporting deadline. The legislation states that any data breach you become aware of should be reported to the ICO within 72 hours. Failure to do so could result in a fine. The ICO’s website is fantastic and full of really helpful information. The need to report will be dependent upon the severity of the breach. We recommend that you use the ICO’s self-assessment tool to establish this.
Finally, you should review all your data protection policies and processes regularly. It’s not enough to implement and then forget all about them. This will ensure that the data you collect is accurate and safe.
K&K Legal Consulting offer legal consultancy to small businesses (including our own!). They can help with everything from legal document reviews and drafting to Compliance Power Hours through to aged debt support. If you need support in any of these areas, please get in touch.