GDPR Legislation: Advice for Businesses
What you should know about GDPR
In the past couple of months, we have been contacted frequently for advice related to GDPR. We’ve also noticed that it has been a hot topic at networking events for the past six months, so we felt it was time we wrote up an article on what it is and how in particular it affects small and medium-sized businesses.
What is this so-called GDPR, and why is everyone in business going on about it lately?
GDPR is a convenient acronym for the General Data Protection Regulation (EU) 2016/679, a piece of binding European Union legislation adopted on April 14th 2016 that will come into force on May 25th 2018. The legislation governs how businesses handle personal data they collect or process. It is intended to integrate and supersede all previous separate pieces of national legislation binding upon these areas of practice.
Because of its binding nature and enforceability from May 25th 2018, it has become much talked about. Specifically, there has also been much concern over the scope of the punishments available to courts judging that breaches of the regulation have occurred, with heavy fines up to 20 million Euros or 4% of annual turnover (whichever is greater) being on the table, figures that could be ruinous for most small and medium-sized businesses.
Since the UK remains a member of the EU for now, and since the default government position is that all existing EU legislation in force at the time of the UK’s formal final departure from the EU will automatically be integrated into British law, it affects UK businesses just as much as those in any other EU member state, and will continue to do so even after the UK ceases to be an EU member.
Ok, so it can be very expensive if you breach it, but what do you have to do to stay on the right side of the law?
Essentially, you need to set out and implement a data protection policy that gives the individuals on whom you hold or process data the right to privacy by design and default. This should be applied across all your business processes.
Among the implications of this are that there must be at least one lawful basis to all your business’s personal data processing and storage operations. You need to identify what that basis is in each case. In some cases, it may be express consent; in others, legitimate interest that reasonably presumes consent.
Where legitimate interest is claimed without express consent, you should be prepared to demonstrate that your interest is legitimate with reference to the purposes of your data processing if challenged by someone you hold data about, or, ultimately, by a prosecutor in a court of law.
Data storage for online marketing purposes may rely upon consent, legitimate interest, or a combination of these. It is up to you to work out which applies in your particular case, then to set out a policy framing this.
For example, at GWS, we display our claims to legitimate interest in clauses 3 and 5 of our privacy and data protection policy posted at https://www.gwsmedia.com/privacy-and-data-protection-policy-gws-media-ltd - with reference to the relevant clauses of the GDPR legislation.
You might find our policy useful as a partial template towards formulating your own. And whatever policy you formulate, displaying it accessibly on your website can help cover you against claims that subjects whose data you hold have not been properly informed.
If your core business activity hinges upon personal data processing operations, then you must also appoint a named Data Protection Officer with personal responsibility for compliance.
The legislation further requires that any breaches of data security that could result in a risk to the rights of the individuals on whom data is stored must be reported within 72 hours of coming to light to the responsible supervisory authority, as well as being notified to the individuals on whom such data is held.
There are different supervisory authorities in each EU member state. In the UK, the presiding supervisory authority is the Information Commissioner's Office, commonly known as ICO for short. Its website is here, and should be found to be a useful resource for guidance on how it interprets the responsibilities of UK businesses under GDPR.
Additionally, the new EU legislation grants data subjects a right of access to all data you hold upon them that you must honour upon request, and a limited right of erasure of data, generally only applicable if the data subject can demonstrate that you are holding the data unlawfully or that his or her rights and freedoms outweigh your legitimate interests. In practice, it would be prudent to observe all reasonable erasure requests rather than challenging them and risking being taken to court and emerging with the associated costs to pay.
Finally, you are required to maintain a record of the personal data gathering, processing and storage activities you undertake, that may be viewed by the relevant supervisory authority (again, this is ICO in the UK) if requested. A document setting out these particulars should be prepared. [This does not necessarily need to be displayed on your website, where your privacy and data protection policy should suffice.]
GDPR is binding legislation designed to safeguard individuals’ rights to privacy and the security and fair use of the data held on them by companies and other organisations. If you want to avoid falling foul of the law and forfeiting public reputation and liquidity to boot, you should seek to ensure that you are operating within this spirit as well as complying with the letter of the legislation itself, which means putting in place policies along the lines outlined above.
It should not be an overly painful or expensive process, and once those policies are documented and all your staff and suppliers are signed up to them, you can relax and continue with business as usual. We wish you every success in assuring your own GDPR compliance.