Replacing the UK Data Protection Act 1998, the General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018 and is built based on two key principles:
- Giving citizens and residents more control of their personal data
- Simplifying regulations for international businesses with a unifying regulation that stands across the European Union (EU)
The government has confirmed that Brexit will not affect the GDPR start date, or its immediate running. It’s also confirmed that post-Brexit, the UK’s own law (or a newly-proposed Data Protection Act) will directly mirror the GDPR.
- One of the key principles of GDPR is to require companies not to hold on to personal data for longer than necessary, or process it for purposes that the individual isn’t aware of
- The GDPR will apply to any business that processes the personal data of EU citizens
- Those businesses involved with processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO)
- Failure to comply will result in harsher penalties. Currently, the ICO can fine up to £500,000 but the GDPR will allow fines of up to €20 million or four per cent of annual turnover, whichever is higher
- Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds to keep the data
- Consent for personal data must be explicit statement – use a positive opt-in, don’t rely on pre-ticked boxes or default options and make it easy for people to withdraw their consent
GDPR checklist for UK small businesses
(taken from www.simplybusiness.co.uk)
Your checklist needs to take into account past and present employees and suppliers as well as customers (and anyone else’s data you’re getting hold of, storing and using).
- Know your data. You’ll need to demonstrate an understanding of the types of personal data (for example name, address, email, bank details, photos, IP addresses) and sensitive (or special category) data (for example health details or religious views) you hold, where they’re coming from, where they’re going and how you’re using that data.
- Identify whether you’re relying on consent to process personal data. If you are (for example, as part of your marketing), these activities will become more difficult under the GDPR because the consent needs to be clear, specific and explicit. For this reason, you should avoid relying on consent unless absolutely necessary.
- Look hard at your security measures and policies. You’ll need to update these to be GDPR-compliant, and if you don’t currently have any, get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach.
- Prepare to meet access requests within a one-month timeframe. Subject Access Rights are changing, and under the GDPR, citizens have the right to access all of their personal data, rectify anything that’s inaccurate and object to processing in certain circumstances, or completely erase all of their personal data that you may hold. Each request carries a timeframe and deadline of one month (which can only be extended in mitigating circumstances), from the original date of request.
- Train your employees, and report a serious breach within 72 hours. Ensure your employees understand what constitutes a personal data breach and build processes to pick up any red flags. It’s also important that everybody involved in your business is aware of a need to report any mistakes to the DPO or the person or team responsible for data protection compliance, as this is the most common cause of a data breach.
- Conduct due-diligence on your supply chain. You should ensure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties. You’ll also need to ensure you have the right contract terms in place with suppliers (which puts important obligations on them, such as the need to notify you promptly if they have a data breach). See ‘How can I check my suppliers are GDPR-compliant?’ further down.
- Create fair processing notices. Under GDPR, you’re required to describe to individuals what you’re doing with their personal data. See ‘Fair processing notices’ below for more information.
- Decide whether you need to employ a Data Protection Officer (DPO). Most small businesses will be exempt. However, if your company’s core activities involve ‘regular or systematic’ monitoring of data subjects on a large scale, or which involve processing large volumes of ‘special category data’ (see ‘Is my data sensitive?’ below) you must employ a Data Protection Officer (DPO).
Keep an eye on the Information Commissioner’s Office website for the latest GDPR updates – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Shopify store owners: head over to https://help.shopify.com/manual/your-account/GDPR/GDPR-Shopify