The small business no-nonsense guide to GDPR Part I: An overview
Why are we writing this?
As the clock runs down to the point where GDPR is enforced more and more of our customers have been asking us what are we doing to prepare for GDPR. Invariably, these discussions lead to how is GDPR going to affect them as well.
Many are understandably frightened and unsure of whether they will be compliant come May. There is unfortunately a lot of confusion around this new legislation, so the purpose of this guide is to cut through the confusion and provide an overview of what the legislation is. Including, the steps you need to take to see if you are compliant, and what needs to be done to meet any gaps in your data processing system.
As most of our customers are small businesses we will be interpreting the GDPR from a small business point of view. In addition, we’ll demonstrate how RealtimeCRM can help you become compliant.
We’re not just giving this guide away. As usual your first RealtimeCRM user is on us. If you decide to add more users they’ll be on us too during your first month of use. Simply click through the following link: https://app.realtimecrm.co.uk/sign-up/GDPR
What is GDPR?
On the 25th May 2018 GDPR (General Data Protection Regulation) comes into effect, it is a wide ranging overhaul of current data protection regulation that will affect all businesses. The Regulation is an essential step to strengthen citizens’ fundamental rights and keep up to date with the tremendous changes that have taken place particularly on the internet in the last twenty years.
Think of the internet of things, social media and online shopping which have come into being over the last twenty years. This is an ever growing ocean of personal data that needs to be protected and made secure.
Perhaps you’ve been approached by a consultant or offered a course? While GDPR will affect all businesses we don’t believe it has to be difficult to deal with. Of course you must bear in mind that no-one can offer authoritative legal advice on the subject until it is tested in the courts. We can tell you our interpretation but we are not lawyers, we are not your lawyers, and this is not legal advice!
The GDPR is a modern privacy framework which aims to account for the complex nature of modern data collection, storage, processing and distribution. The goal is to provide a path which allows businesses to build and maintain a data policy that ensures you keep your eye on the ball of data security and management.
It’s in your interest to be compliant. This is not simply because this new legislation has teeth in the form of significant fines which we will cover later on. Instead, by doing so you signal to your customers that you take the security of their personal data seriously. In turn you’ll strengthen those customer relationships.
As you can see from the above Pew Research survey, privacy matters to individuals. If you cannot demonstrate high standards of data protection - or worse you are found to be negligent - it will harm your business.
Additionally, the GDPR will require all companies within the EU to create data processing systems with the same underlying principles. This will allow for a consistent and cohesive data protection environment, which in turn makes it easier for businesses to interact with each other.
What are the key principles of GDPR?
The GDPR sets out the data protection principles in Article 5, they can be summed up as follows:
- The personal data is processed lawfully, fairly and in a transparent manner in relation to individuals.
- The personal data has been collected for a specific and legitimate purpose and is not processed beyond the scope of the legitimate purpose used to justify the processing.
- That the personal data is adequate, relevant and limited to what is necessary in relation to the purpose for which it is being processed.
- That the personal data is accurate and kept up to date.
- The personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is being processed.
- The personal data is processed in a manner that is secure including protection against unauthorised or unlawful process and against accidental loss or damage.
Does it apply to me?
This new regulation applies whether or not your business is based in the EU and regardless of the actual location you process data. As long as you are processing the data of people in the EU for the purpose of offering goods and services (whether paid or not) or monitoring the behavior of people in the EU, for example by placing cookies on the devices of EU individuals you must adhere to the GDPR:
“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to..”
-Article 3(2) General Data Protection Regulation-
In the context of the UK and the vote to leave the European Union, this will have no impact on GDPR enforcement as the Information Commissioner Office (ICO) has confirmed the new bill will apply in the UK from 25th May 2018.
For the purposes of this guide we will focus our attention on the GDPR and its effect on small businesses. The GDPR is not a one size fits all solution to the problem of data protection. It has differing levels of obligation depending on the size of the business when it comes to reporting:
“The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
-Article 30(5) General Data Protection Regulation-
In plain language, the GDPR does not expect the same level of obligation from a small company of say 12 employees as it would from Facebook. This is unless of course you process data more than occasionally or if the data is of special categories, in which case you will need to comply in the same way as larger organisations.
Our guide will walk you through a general overview of the principles of the GDPR with specific reference to interpreting it as a small business.
It’s important to understand the general principles because, as the GDPR states, data protection is not a product but a process. In understanding the process you will be able to evaluate your current data protection procedure and update it where necessary to ensure that you are compliant with the GDPR.
A few key definitions
Data Subject: A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity. An example would a person named ‘James Sample’.
Personal data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Sensitive personal data: The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. See Article 9(1) for an exhaustive list of what classifies as sensitive personal data.
Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Controller: Determines the purposes for which and the manner in which any personal data is to be processed. For example ‘James Sample’ registers with a landscaping company named ‘Green Landscapes’ via their website to find out more information about their services, in this case Green Landscapes becomes the controller of the personal data that James provided.
Processor: They process the data on behalf of the controller. Any software or CRM system such as RealtimeCRM becomes a processor of James’ personal data when Green Landscapes imports his data into RealtimeCRM.
Processing: Anything that is done to or with personal data such as:
- Organisation, adaptation or alteration of the information or data.
- Retrieval, consultation or use of the information or data.
- Disclosure of the information or data by transmission, dissemination or otherwise making available.
- Alignment, combination, blocking, erasure or destruction of the information or data.
Enforcing the GDPR
Under the Data Protection Act (DPA) the ICO could issue fines of up to £500,000 to a data controller that was in violation of the legislation. The GDPR however allows for far more significant fines of two differing levels of severity:
Under the GDPR, the ICO can issue fines of up to €10 million or 2% of worldwide turnover of the preceding financial year (whichever is greater) against both data controllers and data processors.
The following is a list of some of the provisions which, if violated, can result in the above fine:
- Failure to implement measures to ensure privacy by design (i.e. ensuring data protection is considered in the early stages of a project and throughout its life cycle).
- Failure by a controller in relation to the engagement of processors.
- Failure of a processor to process data only in accordance with the controller’s instructions; failure to report breaches; and failure to appoint a data protection officer, if such appointment is required pursuant to the GDPR.
The ICO can impose fines of up to €20 million or 4% of worldwide turnover of the preceding financial year (whichever is greater) against both data controllers and data processors.
The following is a list of some of the provisions which, if violated, can result in the above fine:
- The basic processing conditions including in respect of obtaining consent.
- Infringement of the rights of data subjects including international transfers of personal data.
- Failure to implement or adhere to a subject access request process.
In addition to the above fines the GDPR explicitly states that individuals have the right to complain including the right to judicial redress in court. This should not be taken lightly as we have seen in the case of PPI claims against UK banks therefore proof of compliance is a must.
Having listed the potential penalties of GDPR it’s not time to panic. If you are sensible and do a proper audit of your current data management system you can change it to be compliant and avoid the above. By reading on you will see that compliance is more than manageable and that the purpose of the legislation is not trip you up but to encourage you to think about data protection. Then, incorporate it into your business not as an afterthought but as one of the cornerstones of good practise.
Thinking about your current data processing
In this section we’re going to begin to think about the GDPR in more specific terms. How exactly does it apply to your business?
Before we delve into each provision of the GDPR there are a few important questions to ask yourself which will help you to see how the new legislation applies to you.
Under Article 30, the GDPR includes a reduced burden for small businesses when it comes to keeping records of their data processing. This however does not apply if you are processing special categories of data (see Article 9 for a full list of these) or if the processing you carry out results in a high risk to the rights and freedoms of the data subjects. Additionally, it does not apply if the processing of data is not just occasional. The interpretation of the not occasional phrase has not been made explicit and so we will interpret it conservatively and assume that the higher standard of recording applies to small businesses as well.
All of this may sound quite intimidating but you need not be on your own in attempting to meet the relevant compliance requirements. You can seek advice from third party consultants or benefit from the compliance mechanisms offered by cloud service providers. In that spirit we will discuss in this guide the various ways in which RealtimeCRM can help you as well as the other steps you can take to stay on top of GDPR.
Becoming GDPR compliant begins with knowing what data you collect and process, and why. This is a useful exercise to run because you may find out that you can reduce the amount of data you collect and therefore reduce your GDPR overhead.
To get to that point though you have to perform an audit of your current data processing. Fortunately, the ICO has produced an easy to use template with example data which you can fill in with all the current data processing that you do, where your data came from, who you share it with and under what lawful basis under the GDPR guideline you process that data.
We recommend you read this entire guide so you have a fuller understanding of GDPR before filling in the template below:
The GDPR encourages a risk based approach to data processing. Article 30 of the GDPR requires controllers to “ensure a level of security appropriate to the risk.” In order to find out your level of risk you will have to do a risk assessment.
It’s not as complicated as it sounds. All it requires is some common sense and an honest review of your current data processing system.
- A Threat Assessment: Are you able to identify data breaches, unauthorized network access or even things as simple as whether your physical files are locked away with only the necessary people having access to them.
- Data Audit: Look at your data collection and processing as a self contained system. What is the greatest threat to it? If your data is stored digitally, is it encrypted and password protected? Are you processing sensitive data that requires extra security and do members of staff require a Disclosure and Barring Service (DBS) check?
You will also need to have plans for incident response and breach notification, which under GDPR requires a 72-hour turnaround. This is unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Completing an adequate preliminary risk assessment will enable you to identify your level of risk. This is particularly important because if you are at a high risk you are required by GDPR to conduct a Data protection impact assessment (DPIA).
As a small business do I need to conduct a DPIA?
If you are a small business your level of risk is unlikely to be high enough to warrant a DPIA. The three conditions that necessitate a DPIA are:
- A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
An example which may require a DPIA could be a hospital that is processing its patients’ genetic and health data on its information system. If you’re a small local landscaping business then the information you hold and process probably doesn’t meet the DPIA conditions.