Introduction to GDPR

The aim of this article is to help small businesses, and your industry, to understand GDPR.

There will be significant changes to the way we behave and do business.

By the 25th May 2018 you’re supposed to be compliant. People are asking if there’s some grace period. The information commissioner's office (ICO) have said, "There will be no grace period" because the EU said, “you’ve all had long enough”.

Much of this is a refined version of the 1988 act, and 1986 data protection laws we had in the UK.

What’s different is people didn’t really know about it (despite breaches by Equifax and Talk Talk and their fines). But people have thought ‘ this doesn’t really affect me’.

The EU are building on existing legislation primarily because of the digital world we live in and the risks to individuals, given the data they’re holding on you.

They want to minimise the chance of data being unfairly disclosed.

Note: If you are holding and processing data, information on any living identifiable human being, you are what's now called a “Data Controller”.

Holding information on other corporations is not affected in the same way by GDPR and can be disregarded somewhat for the time being. It is mostly about individuals' personal data.

Data Controllers have never had to report breaches, but the new law states any breach needs to be reported to the ICO within 72 hours. If there’s a breach at all, you’ll need to report it. Friday evening or not - it needs to be reported.

If you accidentally email the wrong person, and there’s nothing in that email which could affect the personal information you’ve mis-sent, it wouldn’t necessarily need to be reported.

However, emailing one client about another client’s purchase, including how they paid and how much they paid, would be reportable.

The GDPR Fine

The maximum fine for non compliance could be up to 20m Euros or 4% of worldwide turnover - whichever is greater.

The aim of this is to demonstrate the importance of compliance, but this regulation is not about revenue generation; fines will be a last resort, but if your paperwork is not in good order then an investigation could quickly be destined for monetary punishments.

Note: The ICO has issued draft guidance on how it will take regulatory action to data breaches post GDPR. They talk of an approach proportionate to the size and sensitivity of a breach, and in guiding businesses towards compliance. In other words they're not defaulting to the fine (yes, breathe a brief sigh of relief!) but it's still important to get compliant ASAP.

How can your business become GDPR compliant?

You need to know what data you hold, where its stored, and how it’s managed.

Even for smaller organisations you need to look at how you’re holding data.

This is called 'data mapping'.

Do you need agreements in place with clients you’re already dealing with?

If you hold their information in the cloud, you must have an agreement with the person who’s holding the data. The holder of the server, i.e. the cloud, would be counted as a data processor. You must have a written agreement.

Under the old data protection laws, you didn’t need a written agreement with clients and data processors, now you do.

Two concepts worth bearing in mind are data protection by design and data protection by default. The EU and ICO are using these terms a lot.

Data protection by design

You now have awareness of the necessity to comply with data protection laws, and you are therefore putting designed systems in place to comply. This makes you accountable for the systems you'll have in place by the 25th May 2018.

Staff must know what they should and shouldn’t do.

The people you’re sharing data with should know what they should and shouldn’t do too.

A data breach even for a small company such as revealing a purchase by a celebrity or a mistaken email for example, will need to be reported.

Mistakes can happen, and that’ll be accepted to some extent.

What won’t be accepted will be that you’ve done nothing at all to comply, ie. your processes haven’t changed to comply with GDPR.

Should I tell someone their data has been breached?

Certain breaches should definitely be reported to the person affected.

If it’s such you’ve had to report it to the ICO then you should at least consider contacting the breached person too.

Data protection by default

Hold the data for the minimum amount of time you needed to. Do you hold more data than you actually need to?

Do you need a list of all the goods a customer has bought over the last 10 years?

Minimise your data

If there is a breach, there will be therefore be as little data as possible affected by this as possible.

GDPR and brexit

In practical terms GDPR will still apply post brexit. The EU’s position is that if you’re processing data, even if you’re marketing to individuals in the EU, you’ll need to comply with GDPR.

It’s a great opportunity to review your data, and to contact your clients.

Example: “We’re updating our database and just wanted to check you still want to receive X Y and Z” and the discussion begins, including insights into what this person IS interested in receiving from you. Just because they bought something from you doesn't automatically mean they want to receive invites to your events or regular updates with your news.

The GDPR law is not about fines - it’s about putting the customer/citizen first. If you align with that viewpoint, then there are some business opportunities which can be presented to you.

This legislation is the biggest shake up of data protection laws in 20 years. The effect and work needed in order for you and your business systems to comply with these new laws may be big or small. It depends on where you’re starting from.

Do you need a data protection officer?

Every business is encouraged to have a data protection person who is in charge and will take responsibility for making sure the right systems are in place, deciding if something should be reported, and ultimately reporting it.



What does GDPR actually mean to your business?

Whether you have 1 or 100 members of staff, GDPR applies. There are no exemptions for small businesses.

When it comes to data protection, research suggests smaller businesses will be the least prepared.

They simply don’t have the time or resources to dedicate to bringing their systems up to GDPR compliance standards.

The reality is small businesses process just as much information as large companies.

Under the accountability principle, the data controller (you) are responsible for demonstrating GDPR compliance. This means if you are a small business owner, you are responsible for demonstrating GDPR compliance.

It’s an administrative nightmare with fears compounded with the possibility of large fines, warnings, reprimands and corrective orders.

Such consequences will be in the public domain and therefore easily picked up by the media. The risk of damaged reputations is very real.

If you streamline the data, your efficiency could increase, and you could get a greater return.

Begin cutting back the number of people who are receiving your emails today.

A. Raise awareness of GDPR within your organisation

Is there an awareness of what constitutes personal data?

Do employees understand how personal data can be used?

Put in place adequate training for staff.

Your employees could be your biggest risk to GDPR.

B. Establish what personal data your business collects, stores, uses and sends out

Separate the data into categories - customer prospective customers, staff, third party suppliers, business contracts, prospective employees.

C. Audit the data identified

Whose data is it?

What is the data you're holding?

When did your business come into possession of this data? How long has the data been retained for?

Where did you receive the data from?

If data was obtained from a 3rd party, do you have written assurances from them that they’ve got consent to own, and share that data?

Why do you have the data?

Examples of this would be IP addresses, telephone numbers combined with a name, bank details.

Data minimisation means: don’t keep what you don’t need.

You need to have a specific, explicit and legitimate purpose to hold and use that data. You must not process it beyond that purpose.



You must identify the lawful basis for processing each category of data

Below are the options available to claim WHY you hold data. Every piece of data should be attributable to one lawful basis of processing. You’ll need to crosscheck all the items of data you hold against the below.

Contractual relationship (is it necessary because it’s part of a contract, or they’ve asked you to take specific steps before entering into a contract)

Legal obligation (employer needs personal data in order to disclose salary details to HMRC)

Most flexible: Legitimate interest (interest and fundamental rights of the individual must be taken into account, balanced their rights with your interests).

Vital interest (is it necessary to protect an interest, i.e. someone has an accident resulting in life threatening injury, disclosure of medical records would then be needed.)

Public interest (official functions must have a task or basis clear in form)

Consent of the individual (see below)

Under each category - note how long data will be kept for.



Consent of the individual

Check your opt-in/consents.

Is the consent freely given, specific, informed, unambiguous and a clear affirmative action?

Refresh existing consents if they do not meet GDPR requirements.

Consent should be obtained for each processing activity (yes, this might mean several tick boxes on your forms from now on - tough, that's just how it is now! Those tick boxes must be unticked by default too and perform a positive opt in).

Keep a record of consent (ideally the date & time, wording of the consent they ticked, and the version number of the privacy policy that was in place at the time).

If your current consent doesn’t meet GDPR consent standards, then you should refresh their consents.

If using consent of the individual as lawful basis for holding data, then there needs to be a proper process for them to withdraw their consent at any point.



There are many reasons you could process data without explicit consent (via a contract etc). The general way used to gain consent is with a checkbox.

To reiterate - individual's consent under GDPR must be

Freely given

Specific

Informed



A positive indication of agreement (this is why having an unsubscribe button cannot be inferred as consent. Unsubscribe links are NOT positive indicators of agreement, they are the presentation of an opt-out, which is NOT the same thing).



Enhanced personal rights

As you likely know, the basis of GDPR is greater empowerment for the individual with regards to their personal data. Post GDPR individuals will have these enhanced personal rights:

The right to erasure i.e. the right to be forgotten.

The right to rectification

The right of data portability

The right of access - i.e. the new data subject access requirements (this is where people ask you to let them know what data you hold on them, and you must be able to tell them)

You must implement policies to identify and handle any data subject access requests.



Data access requests

Individuals used to have to pay £10 for this.

This used to act as a deterrent to data subject access requests by people but this deterrent will now been removed under the GDPR.

Timeframe for compliance with data subject access requests has decreased under GDPR and you’ll have to respond to that request within 30 days. Your data should therefore be in a very organised fashion.

Data transfers outside of the European Economic Area

If you need to transfer data outside of the EEA, you’ll need to take a look at the below.

Data transfers are prohibited, if they don’t have an adequate level of protection.

If they’re not approved, it is possible to transfer the data if certain measures are taken.

Safeguards – adding data protection clauses to your contracts for example (this can be grabbed from the European Commission).

Terms and conditions and supplier contracts

Where a data controller uses a data processor it needs to have a written contract in place.

Tighten up contracts between data controllers and data processors to ensure that they are compliant with the GDPR and aware of their obligations and liabilities.



Review and update current policies and proceDures

Does your privacy policy meet GDPR requirements in Article 13 and 14?



It should include:

Identity of the data controller

Purpose of the processing and the legal basis.

The legitimate interest in the data.

Identify any recipient or categories of recipients of the personal data

The right to withdraw consent at any time

Retention period



Notification of a data breach

Have a breach response policy.

Educate your staff on how to spot and report a breach.

Create a data protection compliance file

Keep record of consents

Keep notes of internal meetings and decisions on data protection

If the ICO comes knocking - you can then show that you’ve looked into this.

Compliance with GDPR is ongoing

Regularly review personal data

Create a retention schedule for data and when the data has reached its retention period. Destroy it in accordance with a data destruction policy - this is why you kept a record of when the consent was given!

Review the physical security of data

Is data securely locked away?

Consider which individuals have access to the data.

Minimise the data you hold.



Cyber security

You as individuals, company owners, employees, need to fully understand that when you send an email, when you access a file, what’s actually happening there. By understanding it, you can put plans in place to comply.

Some organisations will just delete all data after a year. If you came looking after that time, it would be gone. They had so much data that was their way of dealing with it.

Information security is not only about technology.

Information security is about protecting your business assets.

Information is one of the most valuable assets in every organisation and every organisation relies on information to support its business activities.

Increased media attention on high profile security failures. The amounts of breaches are in the hundreds of thousands now. Right now there are no obligations on reporting. Come 25th May 2018 you must report it.

You have to know about it.

You have to report it.

You’ll then have to go through the processes on what data was stolen, what’s missing.

The big thing is many companies may already have been breached, they just might not know it.



Who might attack your business?

Criminal organisations

Politically motivated hacktivists, organisations or agencies

Insiders/Employees (could they sell it to competitors?)

Someone unexpected who is doing it for fun or interest

Impact of a security breach

The data and the fact you were breached will be in the public domain

Damage to your reputation

Loss of client confidence

Possibility of regulatory fines

Direct financial loss

Loss of competitive advantage

Emails

Email is the biggest single risk to organisations really. Once you send an email, there’s an interaction with someone at the other end. Some one else now shares the data and the files that you sent them. Once they have it, it's out of your control.

It's also the most common entry point for malicious software, via attachments or links in emails.

Malware

Malware is software that is specifically designed to disrupt or damage a computer system.

It’s just like someone driving past your shop and throwing a brick through your window. They don't care who you are or what your business does, they just want to cause damage.

Malware comes from:

Unsolicited email attachments

Nefarious websites

Some software downloads



Ransomware

Infects a computer system, prohibiting the use of data until the user pays a ransom to have the malware removed.

An example was when the NHS were publicly attacked. They had the choice to either pay the fine or rebuild all their systems.

The result for the NHS was huge downtime, fortunately a good samaritan found a kill-switch for that attack, but most businesses are not that lucky.

For some organisations part of their IT strategy is to set up a bitcoin account so if they get attacked, they could pay the hackers really quickly. This would minimise their downtime in the short run.

Clearly we wouldn’t recommend that. It would be far better to undertake basic IT security processes, particularly with regards to passwords.

Before clicking on any link, hover over the link, and see if it is bringing you to the destination it is purporting. Avoid any links that do not go to a domain you recognise.

Watch out for simple character substitutions in both domains and email addresses. 0’s instead of O’s is a common example.

Passwords

The easiest way to gain access to a system is under the guise of a legitimate authorised user.

Your business must have a password policy for every user.

Never ever ever share your password with anyone.

If I can gain knowledge of a password I can access a system with all the authority of the owner of the password. They can impersonate you, and leave a paper trial of chaos with your name on it.

A lower case password with 6 characters takes minutes to crack.

If you add two extra letters, and make two of them uppercase, it will take years to crack.

If you add one more character and a number, it’ll take thousands of years to crack.

Better yet, use a long passphrase, unique to each service, and store them in a secure password management tool (such as Passpack, 1Password, LastPass, Dashlane or KeePass), combined with two factor authentication (use the Authy app — here's a list of sites that support it).

That’s it for now regarding our GDPR info - but we have put a few common questions below, with associated answers, which you may wish to continue reading.

If not - get back to the top of the page and print off that checklist - using this article as your guide for each point!

GDPR FAQ

Q: Does GDPR apply to paper records as well as electronic records?

A: Yes. It applies to anything and everything you use to hold personally identifiable data on individuals.

Q: If you have an email list of a few hundred clients, but there’s no formal consent. Do we have until May 25th to get the consent or become unable to store or use this data?

A: Correct, unless you can say that it’s in your legitimate interest (see lawful basis categories above). You must document it and justify it. If your basis is on consent, and your consent doesn’t comply with GDPR, then you need to refresh your consent or delete the data. If you’re providing a service, then your SLA should include this.

Q: Do I NEED consent to send marketing emails to businesses?

If consent is not being used as the lawful basis for marketing processing, consider using Legitimate Interest. In this case, you don't need any evidence of prior consent and are free to market to anyone as long as you follow the following rules. You therefore do not need consent forms either.

contacts have business email addresses

you have enough info on the contact to determine that the content of the marketing is relevant to the recipient

you periodically verify the contact details

you must provide an opt-out (unsubscribe) facility

If you want to market to personal email addresses (@gmail, @hotmail etc) they must be an existing client/subscriber or you will need to get consent.

Q: If every email has an unsubscribe link, is that good enough?

A: You have to have a positive indication of consent. No, that is not good enough - keep the unsubscribe link but go further.

Q: Can I use American companies like Mailchimp or Eventbrite?

A: You’re required to have a written agreement with them. You need to perform due diligence and find out where this data is stored. If it can’t be stored within the EEA, then you may want to consider another provider, or ensure they’re contractually obliged to take GDPR approved safeguards.

Q: If someone asks to be forgotten, can I keep some data if it’s important to my business?

A: If your data retention policy is forever, you need to know where that data is. You need to know where you’re archiving it, and where it’s archived to. If there is a legitimate cause for keeping that data for your business or legal needs, then you may be able to keep some of it. You’ll need to let them know what you’re keeping and why, and you’ll need to ensure it’s all documented.

Q: If I pass my accountant invoices, do I need an agreement with them regarding how they handle and process personal data?

A: Yes. A written agreement as of May 25th 2018.

Q: Do you have to go back through backups and remove unneeded or "opted-out" data from there too?

A: If you have access to it, control it, and are not retaining it for legitimate business purposes, or any other of the lawful basis categories above, then yes you should destroy it. At the very least, such backups should be contained within your data retention policy. Once that period runs out, backups should be destroyed in accordance with your data destruction policy.

Q: As a USA based company, I was curious to notice that you didn't have registering with the ICO as one of the steps to follow. Does that need to be done?

A: You only need to consider registering with the ICO if you are processing the data in the UK.

Note how that's different to processing data for individuals resident in the UK. If personal data is being processed in the UK, then you'll need to register in the UK.



There are some circumstances where even if you process data in the UK don't need to register with the ICO - check via the ICO Registration Self Assessment tool.

In summary, consider ICO registration only when you process personal data within the UK, regardless of where the individuals are resident.



If you don't process the data yourself, then you will need to check who processes personal data for you and where they do it! If it's within the UK then write to them and ask if they're registered.



If they're already registered with the ICO, then that might be as far as you need to go. To find out for sure, you can contact the ICO on +44 (0)303 123 1113



You will need a UK contact for your registration, this might be the company you use to process that data. Find out if that company would be willing to use their address as the contact address on your registration to make things easier.



If personal data is processed somewhere else in the EU, then there may be a similar organisation to the ICO that you (or the company processing the data for you) should register with.



If personal data on EU individuals is processed outside of the EU then you'll need to ensure that the company has acquired an EU stamp of approval on how they handle data. You can read more about this here. This is referred to as 'International Transfers'.

