I’m sure you’ve all heard there’s some changes afoot with data protection legislation in the shape of the new General Data Protection Regulations (GDPR) that come into effect across all EU Member states on the same day 25th May 2018. These introduce a single set of rules for how organisations handle the personal data of all EU citizens.
Does GDPR apply to you?
What you may not be so clear on is whether and how they apply to your enterprise. The reality is that if you process the personal data of individuals based in the European Union (including the UK), then GDPR will apply to your business or enterprise. The size, location or type of enterprise you are makes no difference- these Regulations are all about whether you process personal data and where the individuals are based. Personal data is anything that can identify an individual such as name, address, email address, photo, IP address etc and you might process such data for employees, job applicants, customers, contractors, quotations, sales leads, donors, suppliers, volunteers, patients etc. So, if you answered yes to processing any such personal data and the individuals are based in the European Union, then you need to make sure you’re ready to meet the requirements of GDPR.
What is GDPR about?
GDPR extends the scope of Data Protection legislation to include both organisations who decide what data to collect (data controllers) and use and those that process it on their behalf (data processors). It also hands back control to the individual and demands a much higher level of transparency and accountability from organisations for how personal data is collected and used. Supervisory Authorities charged with monitoring compliance, will have much greater powers to levy significant fines- up to 4% of global turnover or €20million.
There’s been a lot of scaremongering about the level of the fines and it’s true these are much more significant than existing data protection legislation allows for. They will also not just be reserved for serious data breaches, as the UK’s Information Commissioner Elizabeth Denham recently indicated:
“The GDPR gives regulators the power to enforce in the context of accountability- data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”
So the stakes are high and no enterprise that processes personal data and is therefore subject to GDPR, can afford to ignore it. If you’re just becoming aware of GDPR or not sure where to start, here’s my 10 point plan for getting GDPR ready.
10 steps to getting GDPR ready
1. Make the time and effort to understand GDPR and what it's about
It’s hard to take action in your SME when you don’t properly understand what you’re doing it for and what’s required. The GDPR text runs to 80 pages and contains 99 Articles and 173 Recitals so there’s an awful lot of reading to do. Each national Supervisory Authority has published a more user friendly interpretation of the GDPR but even these are very long and in many cases still high level. I spent weeks reading everything I could find, watching webinars about different aspects of GDPR and checking out relevant forums. This gave me a really good understanding and I’ve then been able to convert this into a plan of what I need to do in my own business and also helped others do the same.
When you’re an SME you tend to be short on time and don’t have too many/any resources to help you when something like this comes along. So if this sounds like you I’ve created a 1 hour webinar to share what I’ve learned aboutthe key aspects of GDPR and turning that into a plan which you can register for here.
2. Brief others and bring them onboard
If it’s just you in your SME then you can of course skip this step but if you have others you work closely with either as employees or sub-contractors, then it’s important you bring them on-board too. GDPR is about the way you do things and approach data protection and requires a change of mind-set to properly consider the risks of processing personal data and identify ways to minimise these. It needs a collective approach so everyone you work with understands both why GDPR is so important and how that translates into day to day practices.
3. Identify a lead person on data protection
GDPR requires organisations who carry our large scale data processing of individuals or special category data or who are a public authority, to appoint a data protection officer. This central named person is responsible for overseeing the implementation of GDPR internally and liaising with both Supervisory Authorities and Individuals in the event of a query or issue.
As an SME, you may not be required to appoint such a person but it still makes sense to identify a lead on data protection who will be a point of contact in the event of an Individual Rights request or a data breach and take the necessary actions. This makes most effective use of the resources you have available and ensures there is a named individual who can keep up to date with future data protection legislation developments that might affect you.
4. Conduct a personal data audit
A key part of GDPR is maintaining an up to date written record of the personal data you process, the purpose of this, who you share it with and how long you keep it for. As well as being a legal requirement, getting a handle on all the personal data that you process will make things more efficient and improve your governance. You will know properly where personal data flows in out of your SME and who to. Your personal data map should provide answers to each of the following questions:-
Why are you processing the personal data- purpose?
Whose personal data are you processing- data subjects?
What personal data is processed and what is the source of this?
When is this personal data processed and when is it obtained?
Where is this personal data processed and stored?
The easiest way to do this is using post it notes so you can move things around and take each type of personal data you process in turn and consider each of the questions above. Once you have it mapped out on the post it notes transfer this information to a spreadsheet. This will form your record and is likely to be one of the first documents a Supervisory Authority will ask to see if you come into contact with them. Your data map will also help you if you have Individual Rights requests as you will know exactly what information you process about an individual and where this is located. The same will also apply in the event of a data breach.
5. Decide if you are a data controller or a data processor
This is important as although data processors also have obligations under GDPR, as you might expect those of the data controller are much more substantial. You will be the data controller if you’re the enterprise that collects the personal data and decides how it will be used. The data processor only processes personal data on behalf of the data controller and does what they are contracted to do and no more. You may actually be both for specific types of data. For example if you are a virtual assistant then you will be data controller for the personal data you collect as part of your own activities and a data processor for the personal data that you process on behalf of your clients e.g. invoices, bookings etc.
If you are the data controller then you will need to register with the Supervisory Authority and pay an annual data protection fee-in the UK this would be with the Information Commissioners Office (ICO). You will also need to establish your lawful purpose for processing personal data and ensure you have the right contract clauses in place with any data processors so they understand their obligations under GDPR and can provide you with the necessary guarantees that they can meet these.
6. Establish your lawful basis for processing personal data
If you’re not sure how to go about this or which lawful basis to choose, you can use the GDPR Preparation kit I’ve created, either in its entirety or just the Lawful basis area. Click here for further information on what it is and how it can help.
7. Review your existing data protection policies and processes
Although the requirements of GDPR are more onerous than existing data protection legislation, you may already have processes and policies that will go some way towards meeting GDPR and can be enhanced to bring them in line. Once you have identified any gaps you can create clear actions for what you need and this will give you a focus and stop you having to reinvent the wheel and start from scratch. If you don’t currently have any sort of processes in place then you will do some work to create these in areas such as security, handling data breaches and individual rights requests. Again the GDPR Preparation kit helps by providing lots of useful processes and templates you can use without having to create your own. Click here to find out more.
8. Create the necessary audit trail and documentation
Documenting your data processing is a key requirement of GDPR and you will need to ensure you have a clear audit trail to demonstrate this. There’s a lot you need to cover and as a data controller this includes documenting the name of your enterprise, contact details, your purposes of processing, categories of individuals whose personal data you process, who you share this with and the kind of security measures you have in place.
You will also need to capture your lawful basis for processing and the reasons for this, log any personal data breaches and the actions you took and all Individual Rights requests and how you addressed these. If you work with any data processors then you will need to show you have the right contracts in place with them to ensure they process any personal data on your behalf within the scope of GDPR.
And that’s not all. Under GDPR you have an obligation to properly consider the risks of any processing you do on Individuals and take specific measures to control and manage these. In certain circumstances, for example where you’re using a new technology e.g. introducing a new CRM system or doing any processing that’s likely to increase the risk to individuals’ rights and freedoms, then you are required by law to complete a data protection impact assessment. This shows you’ve identified all the risks and potential problems and taken the necessary actions to address/reduce these to an acceptable level. This is sometimes referred to as privacy by design i.e. building it in at the start of something rather than retrospectively trying to fix a problem once its fully operational.
If you’re a data processor don’t think you get away without documentation your processing activities. Whilst you won’t need to consider your lawful basis for processing as the data controller will have done so, you will still need to have a clear audit trail and document much of what the data controller has to.
Reflecting back on the data mapping I covered in step 4, you should now be able to see why it’s so vital to properly understand and capture all the data processing you currently do. This provides the foundation of all the subsequent recording of data that’s required under GDPR and is the start of your audit trail. If all this sounds daunting and you’re not sure where to start check out the GDPR Preparation kit. This shows you everything you need to document and has lots of useful checklists, processes and templates to help you do so without creating everything from scratch yourself. Click herefor further information on what it is and how it can help.
9. Ensure everyone understands their obligations
If you’ve done step 2, then anyone you work with in your enterprise will be briefed and understand the requirements of GDPR. As you then work on what you need in place to get GDPR ready, others need to recognise what is being done and why, and what their own obligations are in ensuring compliance with the new regulations. As with health and safety, the Supervisory Authorities are looking for organisations to make a cultural change and ensure that data protection becomes part of the every day activities rather than a special one off that’s about ensuring the right box is ticked. The best way to do this is to offer regular briefings and updates and arrange for specific training so everyone understands what’s required of them at every stage and knows what processes and templates are in place to be used for different situations. The videos and presentation slides in the GDPR Preparation kit make useful training materials that you can use, rather than having to take the time to create your own. Click here to find out more.
And remember, if you use external data processors, you will also need to ensure they properly understand their obligations and are given written instructions on how/what data should to process on your behalf.
10. Put in place a process to regularly review your data processing and adherence to GDPR
Getting GDPR ready is not a one time thing or tick box exercise as I mentioned earlier. This is going to be with us for years to come and individuals will get more and more clued up about their own personal data and how organisations use it. You never know when you might be challenged to provide evidence that you are meeting the requirements of GDPR for example by a client who wants to know they can trust you, on a job that you tender for, from an Individual whose data you process or indeed the Supervisory Authority you have to be registered with as a data controller. You need to make data protection part of your day to day activities and way of doing things and putting everything in place for GDPR and then maintaining this gives you the means and incentive to do that.
So, make sure your data audit and records are kept up to date and check the processes you’ve implemented as part of getting GDPR ready, still work in practice.
Whilst the 25th May 2018 is looming large, in reality you’re not going to wake up on the 26th May and feel an immediate change because GDPR has come into effect. You may therefore be tempted to think you can delay doing anything or better still not do anything at all. But it’s a mistake to think like that. The world is waking up to the ticking time-bomb that is personal data and going forward it will be the enterprises that can actively demonstrate they respect and can be trusted with an individual’s personal data that will stand out and win through.
If you want to be one of those, make sure you take the necessary actions to get GDPR ready. Check out the GDPR Preparation kit and see how it can help you get ready quickly and effectively without you having to reinvent the wheel. Click here for more information.
Ceri George has over 15 years marketing experience and is the owner of By George Marketing and creator of the GDPR Preparation kit for SMEs. She helps businesses make the most of their marketing and make it an investment for growth. For more information about working with her and details of the GDPR Preparation kit please visit www.bygeorgemarketing.co.uk