blog, digital-marketing, news A Basic Guide to GDPR for SMEs 28th March 2018 CHCAdmin Leave a comment If you are reading this, you are probably aware that Data Protection Laws are changing on 25th May 2018 – less than 2 months away! While many people are worried about the new regulations, we are here to assure you, there is no need to panic! For many companies, you may even be complying with many of the new laws already. For a small company, complying with GDPR can feel particularly daunting so we have put together a short guide to help you get started. The purpose of this guide is to assist you with the initial steps to prepare you for the 25th May. Much of this information is pulled directly from the Information Commissioner’s Office (ICO) guidelines – but hopefully, we have clarified it and presented you with real-world solutions that you can directly incorporate into your company or organisation. Just to be clear, this guide should not be your only reference when it comes to complying with GDPR. While this is a great place to begin for SMEs, you must also do your own research when it comes to your organisation’s specific case. If you’d like to chat to us further about how we can help you prepare, please get in touch here. WHAT COUNTS AS ‘DATA’? So, let’s start by going back to basics. What exactly do the new laws mean by ‘personal data’? The ICO defines ‘personal data’ as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” But what does this mean in practice? Very simply, data is any information you collect on any individual directly or indirectly. Data could come in the form of an email address, phone number, an IP address, the individual’s interests such as whether they like ice cream or pizza… you get the picture. Data includes cookies on your website, any online forms that are collecting information, and data you collect using third party apps such as Google Analytics or MailChimp. CLARIFY WHICH LAWFUL BASIS YOU HAVE FOR PROCESSING DATA You must have a lawful basis for processing data. There are 6 lawful bases and you must fall into one category (and include it in your privacy notice). (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) [Reference: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/] MAKE EVERYONE AWARE OF GDPR CHANGES Very simply, you should make the appropriate parties aware of GDPR changes within your organisation or company. This means that anyone who is responsible for or party to collecting data on behalf of the company will need to understand how their responsibilities will change. REVIEW THE INFORMATION YOU ALREADY HOLD A good place to start is to identify the information and data that you collect, who you share it with and how/if you record it. This includes any data you have collected by non-traditional avenues (i.e. not via a form that has been filled out on your website). The ICO draws your attention to any data you have collected in the following ways: – observed, by tracking people online or by smart devices – derived from combining other data sets; or – inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job. MAKE NECESSARY CHANGES TO CURRENT PRIVACY NOTICES It is a good idea to put your privacy notice clearly on your website if you have not already done so, and review the information you have detailed in your privacy notice. It is worth spending time on this since you can refer any data protection queries to this page in future. You must ensure your privacy notices are transparent which means they answer these questions clearly: – What information is being collected? – Who is collecting it? – How is it collected? – Why is it being collected? – How will it be used? – Who will it be shared with? – What will be the effect of this on the individuals concerned? – Is the intended use likely to cause individuals to object or complain? Or more simply: – who you are; – what you are going to do with their information; and – who it will be shared with You may also want to include the lawful basis you have for processing data. This should be provided in clear, concise, easy-to-understand language. Online is not the only way you can communicate your privacy notice. If you are going to a conference, for example, and intend to collect email addresses for your e-newsletter, there are other options of communicating your privacy notice. Your privacy notice can be communicated: – Orally, face to face or when you speak to someone on the telephone (make sure to document this with a date and signature). – In writing – printed media; printed adverts; forms, such as financial applications or job application forms. – Through signage – for example an information poster in a public area. – Electronically – in text messages; on websites; in emails; in mobile apps. Just ensure you keep records of how each individual received your privacy notice! ENSURE YOU CAN COMPLY WITH THE INDIVIDUALS RIGHTS These rights include: – the right to be informed; – the right of access; – the right to rectification; – the right to erasure; – the right to restrict processing; – the right to data portability; – the right to object; and – the right not to be subject to automated decision-making including profiling This means that you must clearly give individuals the choice in how their data is being used. They will have the right to amend or delete their records and you must be able to comply. At this point, you must ask yourself: can you locate and delete an individual’s data if it is requested? If requested, can you provide an individual with a report detailing how and when their data has been used historically? PLAN HOW YOU WILL HANDLE REQUESTS If an individual requests for you to send them a report on how their data has been used or for their data to be deleted, you will have one month to comply with this request. The good news is that if a request is unfounded or excessive, you can refuse to comply. If you do refuse, however, you must do so within a month and give a clear explanation as to why. CONSENT You will need to review and refresh your consent processes if they do not comply with GDPR laws. The first thing you must consider is which lawful basis you are operating under to process an individual’s data. In many cases, this will mean that if you are unable to locate and document how/when you gained consent to use an individual’s data, you must ask them for their consent again. If you have been seeking permission to use an individual’s data and recording it in a way that already complies with GDPR, then you do not have to re-seek permission from your existing email list. Keep in mind that consent must be given with a positive opt in. In other words, a pre-ticked box or equivalent silence will not be acceptable and it must be given separate from your terms and conditions. When asking for consent, include: – the name of your organisation; – the name of any third party controllers who will rely on the consent; – why you want the data; – what you will do with it; and – that individuals can withdraw consent at any time CHILDREN If you are processing personal data of children, you will need to take extra care and read the guidelines carefully. Largely, the laws around children’s data protection is the same as it is for adults however, clarity and transparency should be central to all of your data processes. If your lawful basis relies on consent, you will need to be aware that only children over the age of 13 years old is able to provide his or her own consent. Otherwise, you will need the consent of their parent or guardian (although there are mitigations for this). See more here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/applications/children/ DATA PROTECTION OFFICERS You must designate a DPO if you are a: – a public authority (except for courts acting in their judicial capacity); – an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or – an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions If you do have to designate a DPO, ensure you research the responsibilities of this individual. Please note that this article represents the views of the author solely, and are not intended to constitute legal advice.