Blog

It's only 2 weeks until GDPR comes into effect for all; there is no soft landing for small businesses, however GDPR should be viewed as a positive step forward.

It has been a busy time not only ensuring my business is compliant, but also supporting some of my clients in GDPR compliance. I thought it may be helpful to share my learnings from working through this process.

As a business, you may be a "Data Controller" alone, or jointly with other people determining the purposes in which any personal data is processed. You may also be a "Data Processor" if you are responsible for processing personal data on behalf of a controller. If you take receipt of data collected by the Controller and hold it, or analyse it, you become the Processor.

As a small business you can manage this process and still have time to achieve a "defensible level of compliance". However you need to start now, demonstrating:

Accountability: Document everything - your whole thought process and any decisions you make. Have they been made with the Rights and Freedom of the data subject as your primary concern?

Transparency: Are you being open and transparent with the data subject? Provided you tell them exactly what data you need from them and why, what, and how you will be using it and who it will be transferred to, you will be compliant. You cannot do anything that is not explained in your Privacy Policy. Unlike the Data Protection Act, which was more general, with GDPR you have to be very specific and give precise details of each process.

If you are accountable and transparent, you will then as a business invoke trust in your business. Before I share my tips, lets just explain what Personal Data or Personally Identifiable Information (PII) is according to Information Commissioner's Office for the UK: "Any information relating to an identified/identifiable natural, living person".

Here are my top tips for GDPR compliancy:

2 weeks to go: Do a Gap Analysis/Audit, if you haven't already. Analyse how you use data across your business. Where are you with regards to DPA 1998, and where do you need to be for GDPR? For example, every time personal data that you hold is transferred to a different part of your business, and is subject to a different kind of processing, you should identifying the legal reason for doing this.

• Update forms and contracts, e.g. if you have employees review your employee contracts; also review your contracts with suppliers and people you partner with. If this is not your area of expertise, enlist a professional, or the person/company who drafted your original contract(s).
• Review your current policies relating to data protection and assess how these might need to be amended to comply with new GDPR rules, for example do you have an IT Security Policy? A Subject Access Request Policy (you now only have 30 days to provide information and cannot charge a fee); A Data Retention Policy, to name a few? Again you may need professional support to do this.
• Re-confirm GDPR compliant consent (i.e. lawful basis, which is likely to be in the performance of a contract, or compliance with a legal obligation) to process data for existing employees and leavers and ensure new systems are in place for recruitment and new starters.
• Compile data privacy statements for all employees.

 1 week to go: Communicate new rights with employees. You have an obligation to: 

• Ensure your line managers and any colleagues involved with recruitment and other data processing are trained in new GDPR compliant processes. Do your employees know what the new processes are and how this affects them? Do they know what to do?
• Communicate with employees what the changes mean for them and their data, and share data privacy statements.
• Ensure employees are aware of their obligations to you under GDPR (including notifying of a breach) and provide training where necessary.
• Determine whether you need to appoint a Data Protection Officer (less likely in small businesses, however I would advise you have someone who acts as a Data Protection Lead) and so investigate appropriate person to fill this role.

Final days: Prepare for subject access requests. Even if you only have one member of staff and have never needed to handle a Subject Access Request previously, you will now need to have a process for doing so, and make sure you undertake that process and provide the requested information to your employee within 30 days.  Therefore,

• Set up systems to be able to response to subject access requests without delay. You may be asked to delete information (what processes do you have in place to do this securely?); rectify it, or port it to another organisation.
• Consider creating a subject access request policy to handle these requests, which could be highly administrative and time consuming, depending on the number of employees you employ.
• Ensure your HR representative (or perhaps Data Protection Lead) is trained in dealing with a subject access request.

There are also simple data security measures that should have been in place previously, namely:
Locked filing cabinets (and cabinets in place) to securely hold personal information and sensitive personal information). Limit the number of people who have access to these keys, and store the keys themselves securely.
Data that is kept electronically must be securely held, password protected and/or encrypted.
Use shredders or a secure way to dispose of sensitive information in paper format.
Working practices that ensure all employees lock their computer when they are away from it, and you operate a clear desk policy at the end of the day and also when people step away from their desk.

Realise that these regulations are coming into force, and that you cannot ignore them;
Aspire to be compliant by 25th May 2018;
Do start now to meet your obligations, if you haven't already!