By now you’ve probably a read or heard a great deal about GDPR – the new General Data Protection Regulation – that is coming into force on 25 May 2018. Much of what has been written is confusing and some of it is misleading, so here we’ll give you some of the basics that you need to consider, if you haven’t already done so.
GDPR will affect businesses and organisations across the country, as it updates the 1998 Data Protection Act, which was developed before the advent of social media, algorithms and cloud based IT systems. It puts the rights of data subjects – that’s you as an individual – at the very heart of the Regulation. Every business is different, not least in how you rely on data processing to be successful and how your existing policies and procedures are meeting the refreshed requirements. There is no one size fits all or downloadable formulaic answer to GDPR. You will need to develop your own tailored approach.
The Information Commissioner’s Office (ICO) has the task of providing guidance on the application of GDPR to all the businesses it affects. While the vast majority of its guidance is helpful it does suffer from a lack of precision, not least because it must be equally applicable to multinationals and micro-businesses at the same time. The ICO guidance must, therefore, be applied by you in the context of your business. How can you do that in an effective way? We think that there is a simple starting point that involves the following three Ps:
- The Six Principles which underpin GDPR and which can be summarised as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage minimisation
- Integrity and confidentiality.
Any policies and procedures that you develop for your business in response to GDPR will need to be mapped onto these six Principles and all will need to be covered in a suitable way.
- Proportionate response. You will want to recognise the scale and extent of the risks that your business faces, so your response will need to be Proportionate. GDPR compliance does not mean the introduction of myriad policies and procedures but rather a suitable and measured approach.
- Pragmatic approach. You will need to do this in a way that is appropriate to the way your business is run, that is in a pragmatic manner.
You need to be able to demonstrate compliance by your business with all six Principles, so they are a useful starting point in checking your response to GDPR.
The other major change bring brought in by GDPR regards the rights of data subjects (individuals). After 25 May 2018 they will be entitled to the following rights:
- A right of access to the personal data your business may hold on them
- A right to the correction of any inaccurate personal data held on them by your business
- A right to be forgotten by the deletion of any personal data that your business may hold on them
- A right to have the processing of their personal data by your business restricted when certain conditions are satisfied
- A right to have the personal data held by your business transferred to another data controller
- A right to object to the processing of their personal data and to be the subject of automated decision making processes.
What this means is that if your business collects and processes personal data, then under GDPR you are a Data Controller. If your business processes personal data on behalf of another business – such as payroll – then you are a Data Processor. Your business can have both roles. GDPR places a significant number of obligations on both entities. Some key examples include providing individuals with information about the personal data you are collecting about them and makings sure that your business can respond effectively should someone wish to exercise one of their rights as set out above. You also have to show that your business’s processing of personal data are being carried out in accordance with the Regulation and that you keep a record of the processing activities carried out by your business.
What Do You Need to Do Next?
While considering the three Ps (six Principles, Proportionate response and Pragmatic approach) here are some steps that you might want to take, when thinking about how your business might ready itself for GDPR compliance by 25 May 2018:
- Make sure that your senior management team, business owner or key leaders recognise the importance to your business of complying with the Regulation and that they are prepared to back any required changes, including finding any necessary resources
- Map out in a sensible way your current processing of personal data activities so that you are clear on the scale of the issues and risks for the business
- Determine just how far away from compliance with the Regulation your business might be – you may be surprised that you are closer than you think once you have done the analysis
- Decide how your business will best meet its obligations in terms of data subject rights – do you simply need to tweak your current approach or is something more substantive required?
- Consider how your current approach to security in terms of IT, people and premises policies could meet the requirements of the Regulation
- Put together and implement a costed plan of how your business will put in place the proportionate changes you have identified in a way that suits your business.
If you haven’t yet started the first step, then you should do that now, in order to be compliant by the forthcoming deadline. Working steadily through these steps is a better approach than hoping that GDPR will go away if you ignore it – it won’t.
If You Need Specific Help
At SR Consulting we specialise in helping SMEs come up with solutions to meet operational and strategic issues they face. GDPR is one such issue. Our clients have asked us to help them become GDPR compliant on time and we have been working on such projects for the last two years. There is within our business a wealth of experience in successfully running organisations that process significant amounts of sensitive personal data on a routine and regular basis. If you would like to tap into some of that experience and make sure that GDPR doesn’t become an issue for your business, download our White Paper here. For a more personal approach, call Jonathan Lane on 07503 891 331 or Patrick Doyle on 07425 150 238, or click here to email us to see how we can help you.