The General Data Protection Regulation (GDPR) is the European Union’s latest update to data protection and privacy laws. The GDPR was signed into action on 25 May 2018. The previous regulation of its kind was drawn up in 1995 – a time before Google and social media – and so was sorely in need of an update.
The GDPR has been created to place significant emphasis on EU citizens’ rights to privacy in the online and digital environment. Prior to the regulation being implemented, there were many reports of unscrupulous behaviour by companies who profited from the trading of personal data like names and email addresses amongst other things. Previously common practices such as data scraping and buying and selling of email lists are now illegal and must not be conducted.
The GDPR had garnered a lot of attention, and for good reason. Perhaps the biggest headline is the eyewatering consequences for companies that fail to comply with the regulations. The GDPR maximum fine for violations is €20 million, or 4% of global annual turnover, whichever is greater. In a recent test case, brought to the regulators by Austrian data privacy activist Max Schrems, internet giants Facebook and Google are each potentially liable to pay over €3 billion, if the claims of fraudulent data collection are proven. It’s no wonder that businesses of every size are scrambling to ensure their data security processes are compliant. It may be cold comfort to know there is a lesser tier of infraction that can attract a civil monetary penalty of merely 2% of global annual turnover or €10 million, whichever is greater. In another case pressed only days after the GDPR came into effect, Canadian data aggregator company AggregateIQ was given 30 days to comply with regulations or face the GDPR maximum fine after admitting it held data in breach of Articles 5 and 6 of the new code.
What does the GDPR really look like? Should a small business in the UK be concerned with data protection? How does Brexit affect GDPR compliance for UK business? We take a broad look at the GDPR.
What is the GDPR?
The GDPR consists of a number of articles that are built around six data processing principles. Businesses that collect, use or store personal data must demonstrate a lawful basis for it that is in line with the principles. Regarding personal data, businesses must ensure that,
- a) it is processed fairly, lawfully and transparently,
- b) it is collected and processed for specific reasons and stored for specific periods of time, and that it is not used for reasons beyond its original purpose,
- c) only the data necessary for the purpose it is intended is collected, and not more,
- d) it is accurate and that reasonable steps are taken to ensure it remains accurate,
- e) it is kept in a form that allows individuals to be identified only as long as is necessary,
- f) it is kept securely and protected from unlawful access, accidental loss or damage.
To be clear, businesses must be able to demonstrate that any personal data in their possession is collected and kept in keeping with the principles above.
Critically, businesses must understand what rights consumers have when it comes to data privacy. The data protection principles are transparent. Both understanding and complying with consumer expectations and rights are equally important. Below are brief summaries of the rights that individuals have to access and control their data. Follow the links for in-depth information about what these rights look like in action.
- The right to be informed: You must inform individuals when you collect their data, which data you collect, who you share it with and how long you will keep it.
- The right of access: Individuals can contact your business at any time and be provided with the data your business holds about them, including how long you have held it and who you share it with.
- The right to rectification: Individuals are allowed to verify the information your business holds about them and correct any information that is incorrect or inaccurate.
- The right to erasure: This right may not be applicable in all circumstances, but generally an individual has the ‘right to be forgotten’, that is, to have all data pertaining to them deleted permanently, in part or in full, from your business records.
- The right to restrict processing: Individuals may contact your business and restrict your ability to process their data at any time. Like the right to erasure, this is not applicable in all circumstances. The right to be informed may be called upon so an individual can decide which data to restrict.
- The right to data portability: Businesses must allow individuals to extract copies of the data held by them about the individual. Common examples include being able to export activity performed on social networks. The right to data portability aims to prevent monopolisation of data due to difficulty in moving information.
- The right to object: Individuals can ask businesses at any time to stop using their data in ways they object to. An individual may allow for data to be used in some ways but not others. For example, an individual may ask to be removed from a mailing list but allow other methods of communication.
- Rights in relation to automated decision making and profiling: the rise of automated decision making (such as artificial intelligence and machine learning) and profiling (drawing inferences based on accumulated data) creates new data and privacy challenges. Individuals have the right to protest such use of their data and appeal against automated decisions that involve them. As above, any processing of this type requires the explicit permission of the individual.
How does the GDPR affect small businesses in the UK?
Prior to the GDPR implementation, businesses in the UK relied on the 1988 Data Protection Act (DPA). The Act was even more antiquated than the equivalent EU regulations that the GDPR replaced. The GDPR is intended to be replaced by mirrored regulations in the UK once Brexit has been finalised. This means that the Brexit process will likely have no meaningful effect on how small businesses treat data protection and individual rights to privacy. The Information Commissioner’s Office (ICO) is the office that enforces the GDPR in the UK.
Small businesses with fewer than 250 employees are not required to comply with the GDPR in the same way as larger companies. It would be prudent, however, for small businesses to act as if they are compliant. Complying with the regulations allows for a smoother transition should the business experience growth above the employee threshold. Compliance also helps to insulate the business against any further tightening of the regulations. Further, the GDPR has been widely publicised and individuals may expect the rights outlined above to be afforded to them by all businesses they trade with, not just those above the employee threshold.
There are some instances when businesses with fewer than 250 employees can be held to account under the GDPR.
- If the data processing is likely to put the data privacy rights of an individual at risk, if the data processing is routine (that is, not occasional), or the data processed includes special categories of data (see Regulation 9 for the specific data types),
- Any breach of security must be reported to the Information Commissioner’s Office (ICO) within 24 hours of a breach, or not more than 72 hours. Failing to do so may leave your business liable for the 2% of global annual turnover fine.
- The right to erasure must be complied with as per the GDPR for businesses of any size,
- Failure to comply with some specific GDPR regulations may result in the GDPR maximum fine being applied of up to 4% of global annual turnover or €20 million, whichever is larger.
For most businesses, the key phrase here is ‘routine processing’. No matter how small your business is, if you regularly use an individuals’ data in the same way, it is considered routine and the business must comply with GDPR rulings regarding protection and privacy. Furthermore, the regulations apply to data collected prior to the date they came into effect. The GDPR is far more specific about what constitutes personal data than the outdated DPA, so be sure to check which information must be taken care of. Personal data can now include:
- Personal home addresses,
- Contact names,
- Personal contact numbers,
- Personal IP addresses,
- Personal email addresses,
- Racial or ethnic origin,
- Political opinions,
- Religious beliefs,
- Sexual life,
- Physical or mental health information,
- Whether the customer is a member of a trade union, and
- Any criminal offences.
How can UK small businesses avoid the GDPR maximum fine?
It’s likely that your business was not compliant with GDPR specifications in the lead up to the implementation in May 2018. The rules and requirements around data protection and privacy have never been stricter, or more tightly defined. If you are unsure if your business is meeting the requirements, check your compliance against this list as a starting point.
Review your cyber security protocols. You must make every demonstrable effort to secure your client data. Ensure you have constant security monitoring to alert you if a breach is detected. If you do suffer a breach, there are strict, time-based notification requirements in place.
Audit your data. Inspect every storage option you have for personal data. This includes servers, software, the cloud, email and mobile devices. Know where the data is, specifically. If you are unsure if you have hidden or mislaid data, you may need to speak to IT specialists about data identification and discovery. You must have an appropriate legal basis for holding and processing the information. You must know where the data is in order to comply fully with the rights to be informed, to have access and to erasure.
Audit your contracts. As the GDPR came in, most people’s inboxes were flooded with updates to corporate terms of service as companies made efforts to comply with the new conditions. Ensure your contracts and notices are GDPR compliant. Be sure to check internal contracts as well as client-facing ones.
Nominate a GDPR-responsible person. Someone in your IT or HR team must be responsible for ensuring GDPR compliance in the workplace. Depending on the size and scale of your organisation and data holdings, you may need to employ a consultant or specific person for the role. It is complex, and many people may work on compliance, but control must be held centrally. Depending on your business’ specific situation, you may be required to nominate a Data Protection Officer (as specified by the GDPR).
The GDPR is here to stay. Brexit will not change anything for UK-based companies that possess and process EU citizen data. As we’ve seen, international companies have already been called to account for failing to maintain proper security and handling of EU citizen data. It’s clear that large companies are being scrutinised for their behaviour, but it surely won’t take long for smaller companies to fall under the microscope. Remember that many hackers focus their efforts on smaller companies as the cyber security protocols are often less substantial. Security breaches now carry the risk of significant financial penalties along with the loss of trade, reputation and trust. It would be prudent to ensure you are doing everything you can to comply with the GDPR regulations to protect yourself and your customers from harm.
Computers in the City, your data privacy and protection partner
Computers in the City is London’s longest standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, digital security consulting and cloud computing needs. Let us help you develop GDRP-compliant data handling and protection for your business. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.