There has been lots of confusion (and a fair bit of misinformation) about the forthcoming General Data Protection Regulation (GDPR), so we’ve set out below some frequently asked questions about the GDPR.
I’m only a small business, will this affect me?
In short, yes. All organisations (even B2B ones) will use personal data. Remember here that employees are people too, and so their personal data is also subject to GDPR. There are no blanket exceptions for businesses of a certain size. The impact of GDPR may be smaller for you, but you do still need to consider it.
What about Brexit?
The GDPR comes into force in May of this year, pre-Brexit. The government has also already published a draft Data Protection Bill that will locally implement GDPR post-Brexit. So the GDPR is here to stay.
Can I expect a hefty fine for non-compliance?
Much has been made over the new limits on fines which the Information Commissioner’s Office (ICO) can impose, the higher of €20,000,000 or 4% of global turnover, up from £500,000 under current law. However, although there is no “grace period” under GDPR, it’s likely the ICO will continue to fine only the worst offenders, rather than arbitrarily handing out fines to lots of organisations. It’s worth remembering that the ICO has still never imposed a full £500,000 fine for non-compliance with current law.
Do I need consent for all my data?
While the standard of consent required will be higher, there are other lawful bases on which you can process personal data. Although many organisations may assume that they use data based on “consent”, under the current law most uses of data will be based around legal requirements, performing contracts, and “legitimate interests”. The GDPR will not change that. Think about it like this, does HMRC have your consent to hold all the data it does about you?
Do I need to change my security?
The obligation under GDPR is to have “appropriate” measures, taking into account available technology, cost, the type and volume of personal data, and the risks. It’s worth remembering that, while a secure IT system is a big step in the right direction, security obligations extend beyond that. You should take a broad view when looking at security, and not just focus on firewalls and antivirus software. Consider training for your staff, and practical measures to improve security.
Do I need to change any documentation?
Almost certainly. The GDPR requires you to have a written contract in place with any third parties who process personal data on your behalf as a “data processor”. This applies to existing contracts, and so GDPR addendums or amendments will be necessary for many service providers.
You should also review your privacy notices (also called privacy policies). The GDPR requires a privacy notice to be supplied to anyone whose personal data you hold (subject to some exceptions where you did not obtain it directly from them), and requires lots of new information to be included. Most business will need a minimum of two privacy notices (an internal one for personnel, and an external one for everyone else).
So how do you figure out what your business needs to do? At Cripps we’ve launched a GDPR hub
which aims to put the new legislation into user-friendly language and give you the knowledge you need to understand what GDPR means for you. In particular, our five-step approach
to compliance is designed to break down this potentially overwhelming requirement into achievable tasks. If you’d like more information on how we can help, please contact Kathryn Rogers on 01892 506 147 or at email@example.com