It’s coming – the biggest change to data protection laws in over 20 years is right around the corner, bringing with it stiffer fines and tighter regulations, even for small businesses. But what exactly is this big change and how does it affect your trade business?
We’ve taken it upon ourselves to explain everything you need to know about the new regulations, and what you might need to do about them, in our complete tradesman’s guide to GDPR.
What exactly is GDPR?
Set to come into force this May, The European General Data Protection Regulation (GDPR) is a new directive which gives people greater control over what it calls Personally Identifiable Information, or PII, if you prefer. This regulation is set to replace the Data Protection Act 1998, which is the current legislation in place in the UK that governs how businesses manage and stores personal data.
GDPR myth busting
As a tradesman, it’s easy to dismiss GDPR as something that simply isn’t relevant to you. After all, you deal in bricks, wires, and pipes, not data. Besides, don’t such rules only apply to big-time businesses?
GDPR applies to any business which collects, stores, and uses the personal data of EU citizens and – contrary to rumour – that includes small businesses with less than 250 employees. What that means, is that if you have even the most rudimentary of databases with personal information about your customers, your employees, and even suppliers and you collect this kind of data routinely, you’ll need to pay attention.
Don’t worry though – you’ll find everything you need to know here.
When does GDPR come into force?
The new regulation takes hold from Friday 25th May 2018, meaning there’s just over a month left to ensure your trade business is fully compliant.
If it’s a European regulation, what happens after Brexit?
Basically nothing. The UK government has confirmed that GDPR will still apply in the UK despite our impending exodus from the European Union.
Once we’ve finally “Brexited”, UK data protection law is set to be an exact mirror of GDPR, even if it’s ultimately called something else.
What do I need to know?
To be fair, there’s a lot to take in with GDPR, but rather than have you spend days on end wearily trawling through the fine-print, we’ve summed up the key points that are likely to have the biggest impact on your trade business:
- As we mentioned earlier, the primary objective of the new regulation is to give people more rights over how businesses collect and use their information. One of these writes is the Right to Be Forgotten, which means that they can ask you to stop processing and storing any PII you hold about them if you don’t have any legal reason (such as an existing customer contract) for doing so
- As with the Data Protection Act, people can also request access to all the data you have about them. Both access and Right to Be Forgotten requests come with a one-month deadline
- If data you suffer a data breach (such as if your computer is hacked into or a hard drive storing customer data is stolen), then you have to report it to the Information Commissioner’s Office (ICO) as soon as possible – ideally within 24 hours but certainly no later than 72 hours
- The penalties for failing to adequately protect the data you store (thus leading to a breach) can be severe, with even harsher penalties if you fail to report it in time. Maximum fines for not complying with GDPR have been levied at £500,000, and experts warn that the huge financial consequences of failing to comply could drive smaller businesses to insolvency
- Along with fines from the ICO, individuals also have the right to sue you if fail to properly protect the data you store about them.
Under the new laws, you’ll also need to explain to people exactly what you plan to do with their PII. You can do this through what’s known as a Fair Processing Notice. This should outline four key things:
- The reason you’re collecting and processing their PII, including the legal grounds you have to do so
- Who (if anyone) you’ll be sending that data to (such as suppliers or other employees)
- How long you’ll be keeping that data
- That the customer has rights over the data you store about them
I heard I need to hire a data protection officer – is this true?
For most trade businesses the answer is going to be “no, you don’t.”
GDPR states that businesses whose core activities include “regular and systematic” large-scale monitoring of those they hold data about, or large-scale processing of sensitive data, will need to hire a Data Protection Officer (DPO).
However, as a small business, it’s unlikely that you’ll be processing the amount of data that would warrant bringing in a DPO, so there’s no need to start drafting that job ad just yet.
What do I need to do to get my business ready for GDPR?
Just because you may not necessarily need to go and bring in your own DPO doesn’t mean there aren’t things you should be taking care of ready for the move to GDPR on May 25th.
The following tasks should be on your To Do List over the next couple of weeks:
- Make a list of all the groups of people you collect or hold data for, including customers, employees, suppliers and sub-contractors. You’ll need to ensure that everything you do to ensure GDPR compliance is applied to all of these groups
- Take some time to learn about the different types of Personally Identifiable Information (including name and contact details, bank details, even IP addresses). Take stock of which ones you collect and how you process them
- Ensure all the security measures you have in place are up-to-date in alignment with GDPR. This includes encrypting any databases and mailing lists you store which contain PII about any group of people and ensuring that said data can only be accessed by those who have a specific need to access it. You should also consider creating a secure backup of your data, and speaking to a web professional about getting something called an SSL certificate for your website. This ensures that when people fill in a contact form on your website or use your site to send payment, they can do so safely and securely
- Request explicit consent for the way you use data. It used to be common practice that any time you emailed a business, filled in a form on their website, or bought something from their website, that company would add you to their mailing list for marketing purposes. GDPR makes this illegal. If you’re planning on having a mailing list (or if you currently have one) you’ll need people to give you their express consent to have them on your list. This includes people who may already be on your list, meaning you’ll need to reach out and offer those people the chance to give consent. If they don’t, you’ll need to remove them from your list. This goes for marketing databases and similar forms of storing data. You’ll find plenty of information on the ICO website about requesting consent
- Create Fair Processing Notices. Again, the ICO website can help you with this
- Train your employees to ensure they’re aware of the need to be GDPR compliant, how this affects their work, and what they need to do if there’s a breach. Most IT security experts say that the biggest cause of most security breaches is simply human error from someone within the business, so it pays to be prepared
- Check that your suppliers and contractors are GDPR compliant too. One of the more serious consequences of GDPR is that data breaches within any third-parties you work with, whether that’s one of your suppliers or a sub-contractor, could still result in penalties for your business. That’s why it’s such a good idea to take time now in contacting those suppliers and contractors and ensuring they’re ready for May 25th.If you don’t have time to visit them personally, you can email over a checklist for them to complete and send back. If their own data protection measures aren’t enough for GDPR compliance, now is the time to start looking at taking your business elsewhere
- Update your contracts with anyone who processes data on your behalf. If you have sub-contractors, for example, who collect customer data on your behalf, then the new regulations require you to add several new clauses to your contracts. These clauses can be found in Article 28(3) of the GDPR, and ensure that any third-parties working on your behalf are legally required to adhere to GDPR rules.
Yes, that’s an awful lot to take in, but look, this is serious stuff. The importance of GDPR can’t be stated enough, and with only one month to go, there’s never been a more vital time to ensure that you and your business are ready for the biggest change to data protection laws in over 20 years.
For more information on GDPR and the next steps, please visit the ICO‘s website, where you’ll find a range of resources on the subject. Below, we’ve listed some of the resources you’re most likely to need to get you GDPR-ready:
- Overview of GDPR
- Preparing for GDPR – 12 Steps To Take Now
- GDPR – What To Expect & When
- European Commission – Article 29 Working Party
How do you see GDPR impacting your business? What measures have you already taken to get ready for May 25th? Get involved in the discussion on Facebook and Twitter., or let us know in the comments below.