The new European personal data regulations come into force in 2018 – and SMEs need to be ready.
Even though it comes into place as the UK enters the process of uncoupling from the EU, it is still to become British law.
What does General Data Protection Regulation (GDPR) mean for SMEs?
Among many new conditions, one of the biggest changes SMEs will face concerns consent. Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
We have devised a 10 steps plan to help you get ready:
- Knowledge and Understanding: Make sure everyone including key decision makers are aware of the legislation and what it means for your business.
- Information audit: Check what information you hold about your customers and how this should change in the future. Check where it comes from and who it goes to.
- Communication: Put a plan together on how you will communicate the new privacy information in time for the GDPR implementation date in May 2018.
- Management of data: Ensure you have a process to manage individual rights in the future, including how you delete data, how you manage subject access request and if you need to restrict based on age requirements.
- Lawful collection: It is worth taking time to be sure that you have the lawful right to collect the data and that you are collecting consent in the correct way.
- Opt-in VS Opt-out: Consent must be opt-in consent; there will not be such thing as opt-out consent. In simple terms, this means that individuals are given a genuine choice and control over how their personal data is used and take a deliberate action to opt in. You will therefore need to plan the end of pre-ticked boxes on your website as you will no longer be able to rely on ‘implied consent’. GDPR states specifically that “silence, pre-ticked boxes or inactivity should not constitute consent”.
- Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. Be clear on what steps you need to take outside of working hours. Consider making somebody within your business responsible for this as a data protection officer.
- Be prepared for assessment: Stand up and take note, it is possible even smaller businesses will face assessments to ensure that your policies have come into line with the rules. Don’t assume that you will be able to claim innocence through ignorance of the rules – fixed penalties will be applied to companies that do not comply.
- Children : The GDPR identifies children as “vulnerable individuals” deserving of “special protection”. You will need to be aware that the new rules introduce some child-specific provisions, most notably in the context of legal notices and the legal grounds for processing children’s data.
- International Data Transfers: Under current data protection law, transfers of personal data outside the European Economic Area (EEA) are restricted and this will continue to be the case under GDPR. In general terms, the rules on data transfers under GDPR are very similar to those under the DPA with some improvements.
It’s a much better idea to get your GDPR policy sorted as soon as possible so that the whole business is used to it by the time the regulations come into force. Start today: If you’ve not started to look at the impact this will have on your business, we’re happy to help. We can also provide training courses and awareness for your whole team.