9th October 2018 GDPR
With just months to go until the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, the countdown is well and truly on. So what exactly is GDPR and how will it impact small businesses?

GPDR is a new data protection regulation that provides individuals with more control over their own personal data. This will change the way businesses must legally handle an individual’s personal data and will mean further responsibilities for businesses who will have to meet the new regulations.

Research from FSB shows that data protection is definitely on the minds of small business owners, with almost 60 per cent of members ranking data protection laws as a significant regulation they have to deal with. This statistic may paint the picture that smaller firms are also aware of, and are preparing for, the introduction of GDPR next May.

Unfortunately, this doesn’t appear to be the case, with many small businesses either unaware of the upcoming changes or have not started preparing for them yet. Earlier this year, YouGov surveyed British businesses about the upcoming data protection changes, specifically GDPR. The results were concerning, with just 29 per cent of UK businesses saying that they had started preparing for GDPR, while 38 per cent said they were unaware of the new rules.

One of the key issues for many smaller firms is that they do not understand the scope of the changes and what they will be required to do. Many people class GDPR as an IT issue, which mainly concerns computer systems and how businesses store personal data. This includes business processes such as how client files and passwords are stored. However, it could also affect other processes across a business, from project management to networking and from sales to customer service.

The main shift of GDPR is that the new law will give more rights to the individual, and make companies that handle their data, more accountable. This means that record-keeping becomes a lot more important as businesses will need to be able to prove how they obtained this data, what permission they had to retain it, how they are using it and how they removed it if they have been ask to by an individual. It will also be a requirement to obtain, and keep a record of, an individual’s consent to hold the data in the first place.

The last point stems from the introduction of the right to be forgotten, as well as the right for an individual to access their data so they can ensure information held on them is accurate, and to ask questions as required. The new GDPR sets out eight rights for individuals. These are:

  1. The right of access
  2. The right to be forgotten
  3. The right to data
  4. The right to be informed
  5. The right to rectification
  6. The right to restrict processing
  7. The right to object
  8. Rights related to automated decision making and profiling

As a result of the new rights of individuals, businesses may have to alter their current data handling procedures. For example, a good starting point is to look at exactly what personal data is currently being held, and what it is used for. Is the information that is being collected more information than is strictly necessary for the purposes of the meeting? GDPR cracks down on frivolous data collection, meaning that businesses should only collect and keep exactly what will be used.

It is important for businesses to think about how many documents they have customers to sign when taking on services. Are they worded correctly? Documents may need to be rewritten to ensure that customers know how (and why) data is being processed, and to comply with the requirements set out in the GDPR. The information supplied about the processing of personal data must also be free of charge, concise, transparent, clear and in plain language.

Additionally, new processes might need to be created from scratch for certain requests, such as transferring and deleting of personal data as well as verifying the identity of individuals before following through with those requests.

At FSB, we are aware that most small businesses have limited resources at their disposal compared to larger firms. It is unlikely that many would have a dedicated Data Protection Officer (DPO), or will be able to appoint one under the new changes. However, it may be beneficial to allocate someone within the business to take responsibility for meeting data regulations.

This person could be responsible for advising the organisation on data protection laws, monitoring compliance, conducting internal audits and being responsible for communication of data breaches.

To help small businesses to prepare for GDPR, FSB has published the first in a series of three videos, Introduction to GDPR, which explains the regulation and offers advice about preparing for it.

There are a number of ways to prepare. These include

  1. Carrying out an internal audit (data protection impact assessment), of what data you have, how it is stored and what it is used for. Securely delete any unnecessary data.
  2. Familiarising yourself with the GDPR, including the 8 rights that individuals have and ensure that your procedures and policies can deliver these rights.
  3. Informing and training any employees on GDPR and how this will affect the running of your business.
  4. Making sure consent for data is: freely given, specific, informed and unambiguous. Gone are the days of relying on assumptions, pre-ticked boxes or silence. People must make a positive opt-in and you must provide a simple way for people to withdraw their consent.
  5. Being aware that not only must you get consent to send marketing emails, but you must also keep records of this consent.
  6. If your buy data or buy a client data base from a third party make sure that you obtain documentation to show compliance with the GDPR.

There are a number of excellent resources available for smaller firms. FSB has a section of its website dedicated to providing GDPR tips, while the Information Commissioner’s Office (ICO) is also a great resource.

For FSB members, there is also support available through its legal services and cyber protection services. Members have access to:

  • Phone advice line to ask questions about compliance
  • Online fact sheets and checklists that cover all areas of GDPR for small businesses
  • Instructional videos, such as an overview of GDPR
  • Third-party insurance