If you feel that you have been bombarded with ‘data consent’ requests in recent months you are not alone, as businesses prepare for the implementation of the EU General Data Protection Regulation (GDPR) on 25 May this year. As a business owner, you may have also taken a number of steps to prepare for the introduction of the new legislation - or perhaps are suffering a few sleepless nights worrying about what it all means. The good news is that the rules build on the UK’s existing Data Protection Act 1998 and most small businesses will be able to comply with requirements by putting in place a few additional procedures and controls.
The first point to note is that the rules apply to personal data held by a business, which would include employees and customers, so if your business doesn’t collect and store any personal data and is unlikely to do so in future you can probably stop reading now. It’s worth noting that personal data means anything which can be used to identify and individual, whether by name or a unique reference ID that may link to another data store, so information obtained from Google Analytics and other similar tools as part of Search Engine Optimisation (SEO) would not be covered as long as it cannot be tied back to specific individuals.
Many, if not most, businesses hold personal data about their customers, so assuming that your business is in that category, the first step is to decide whether you really need to keep the data. If it’s no longer required, safely deleting or destroying it would reduce the overhead of compliance with the GDPR regulations and, in the case of no personal data remaining, would avoid the regulations entirely. But for the majority of businesses who retain personal data now or plan to in the future, it makes sense to address the GDPR regulations as soon as possible.
GDPR states that you must have a ‘lawful basis’ for processing personal data, and that the way that you use and store the data is appropriate and in line with your stated purpose. So for example, if you collect a customer’s data for the purpose of shipping a product to them, and then pass on their data to a marketing agency without their consent, that would not be consistent with the stated purpose of processing the data. However, if you obtain the customer’s explicit consent to pass on the data (and record their agreement), that would be acceptable.
GDPR has six legal bases for processing personal data - Consent, Contract, Legal obligation, Vital interests, Public task and Legitimate interests. Most small and medium sized businesses are likely to rely on ‘Consent’ or ‘Contract’, or a combination of the two. It’s not a one size fits all approach, so if you need to process personal data as part of a contract but also intend to you use it as part of your business’s marketing, for example e-mail newsletters and promotions, you will need to obtain consent for secondary activity.
In general GDPR applies a common-sense approach which is intended to ensure that personal data is used for the correct purpose, is processed and stored safely and provides individuals with clear rights over their data. Small firms should not find the new rules particularly onerous, but as a minimum businesses should review and document their current data processes and controls and compare with the GDPR legislation prior to the deadline of 25 May 2018. Two useful sources of information are the EU GDPR portal https://www.eugdpr.org/ and the UK Information Commissioner’s Office (ICO) GDPR guidance https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/