UpdateWe've now written a whole separate website devoted to the GDPR, called GDPR Decoded. It's aimed at answering the types of questions small and medium sized businesses have about the GDPR. We'll be adding all our latest GDPR findings to that site and you can add comments and get involved in the discussion there too. We really hope you find it useful.
What is GDPR?
Considering how big a change it is, the law has had surprisingly little press coverage, but make no mistake, it applies to every business and needs to be addressed prior to it becoming enforceable on 25 May 2018.
The easiest way to understand the GDPR is to think of it as a fundamental shift in the ownership of personal data from the businesses that collected the data, back to the people the data relates to.
Businesses must now explicitly ask for permission to collect data that is not part of the core reason they are interacting with an individual, and where this consent is required, businesses must ask individuals to opt in to each different way they want to use that data.
People then have the right to ask any business (whether they are a customer or not) what data they hold on them, how they are using that data and to instruct the business to no longer use their data, or that they can only use the data in certain ways.
Can't I just ignore it, won't it go after Brexit anyway?
The UK government have already confirmed that the GDPR will continue to be enforced post Brexit, and even if a subsequent government repealed the law any business that trades with Europe would still need to comply with the GDPR.
Ignoring the GDPR altogether might seem a tempting option, but this law has real teeth: The maximum fine for a breach of personal data is 4% of global turnover in the last 12 months. TalkTalk's much discussed 2016 fine of £400,000, imposed due to security mistakes that allowed hackers to access customer data, would be a staggering £59m under the GDPR.
Doesn't apply to me though right, I'm a small business..
The idea that the GDPR doesn't apply to businesses with less than 250 employees is all over the internet, but that is categorically incorrect. We asked the Information Commissioner’s Office (ICO) this question directly, here's what they said:
The GDPR applies to all organisations processing personal data. There are certain provisions that are engaged by different kinds of processing / scales of processing, but no exemptions based on organisation size. (Web chat with ico_aidenc, 21 July 2017)
OK, so what exactly is Personal Data?
Personal Data is anything that could allow the identity of an individual person to be inferred from that data. The obvious candidates are things like email address, first name and last name. But, that's by no means all, National Insurance number, bank details or even IP address are amongst many other things that constitute personal data. It's difficult to think of any business that doesn't hold some of that data about either their customers, or other staff members of businesses they interact with.
What does this mean in practical terms
In essence, GDPR requires that you know:
- What data you hold about people
- What you have permission to use that data for
- How long you can justify keeping that data for, and how old it is currently
Essentially that means you need to know what data is stored in every software system, spreadsheet, report, email and filing cabinet. And you need to know how and when you obtained that data. And that includes all the data you already have.
As few of us will know the origins of much of our data, we will need to get rid of all of the data we find that we no longer need and then go back to customers to seek permission to user their data for anything other than the permissions that were implicit by the nature of the core activity they undertook with your business (so, for example, you don't need permissions to have them in your accounts software if you have sent them an invoice, but you would need permission to market to them).
Additionally, you need to ensure that the data you have is kept safe. For paper data that means preventing unauthorised access to printed records, and for electronic data that means secure IT networks, data encryption and staff training to raise awareness of data security.
Need some help?
This page is only scratching the surface of the GDPR. We're working on a whole website devoted to the subject, but in the meantime we'd really recommend going and reading the actual regulations, the first 30 pages are in plain English and do a good job of explaining the intent of the law.
If you'd like some help assessing your existing systems, especially if you have old legacy systems that are no longer supported by their original developers, or if the GDPR is the spur to upgrade to a new system then do give us a call or drop us an email, all our details are on our Contact page here.