What is the GDPR? A quick overview
The Regulation came into effect on 25 May 2018, and was designed to strengthen the rights of EU residents regarding the way organisations process and use their personal data.
These rights essentially boil down to two things: first, organisations must have a clear purpose for collecting personal information, and to give individuals the ability to review, amend or challenge data processing practices.
Second, organisations must implement security measures to protect personal data from being breached or misused, and they must disclose any security incidents involving this data.
If you’re wondering how Brexit affects this – given that the UK is no longer a member of the EU – there are two things to bear in mind.
First, the UK has implemented the UK DPA (Data Protection Act) 2018, which adopts the GDPR into national law. It contains almost all the same requirements, with a handful of additions and clarifications.
Second, if you process EU residents’ personal data, the GDPR still applies. That’s because the scope of the Regulation is based on the location of the data subject, not the organisation.
Further reading: How will UK organisations share data with the EU in no-deal Brexit?
What is personal data?
In the most basic terms, personal data is any information that someone can use to identify, with some degree of accuracy, a living person.
There is also a special category of personal data devoted to sensitive information. It consists of information related to:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
Because this information could be particularly damaging if breached, the GDPR requires that organisations take extra steps to protect it.
Further reading: What’s the difference between personal data and sensitive data?
Does the GDPR apply to small businesses?
When the GDPR came into effect, there was a misconception that it only applied to multinationals, and that small business owners didn’t need to bother with it.
The truth is that the Regulation applies to all organisations that process EU residents’ personal data, whether they are sole traders, small businesses or conglomerates.
However, there is an exemption for organisations that employ fewer than 250 people. If your organisation fits that criterion, you only need to document processing activities that:
- Are more than a one-off occurrence or something you do rarely;
- Are likely to result in a risk to the rights and freedoms of data subjects; and
- Involve special categories of personal data or criminal conviction and offence data.
What does the GDPR mean for my business?
Let’s now turn our attention to the GDPR and the specific effects on small businesses.
Contrary to what you might have heard, you don’t necessarily need consent to process personal data.
It is in fact only one of six lawful bases you can use – and because of the complexity in obtaining and maintaining consent, you should only use it when none of the other bases apply.
When you do rely on consent, remember that the data subject needs to provide a clear affirmative action for it to be valid. That means no pre-ticked boxes or agreements hidden within other requests.
Examples of a clear affirmative action include signing a consent statement on a paper form, clicking an opt-in button or link, and choosing technical settings or preferences on a dashboard.
You can market directly to anyone, provided that the processing meets certain requirements.
You must obtain the data subject’s information using one of the six lawful bases, the way you use that information must have a minimal impact on their privacy and you must be reasonably sure that they wouldn’t object to what you are doing.
If the processing is also subject to the PECR (Privacy and Electronic Communications Regulations), you must also inform the data subject that you’re using their data for marketing purposes.
If they object, you are required to stop processing their personal data.
Data subject’s right to access
The GDPR gives individuals the right to review any personal data of theirs that an organisation processes.
The process by which they do that is known as a DSAR (data subject access request) – and once received, organisations have one month to respond.
Data breach reporting
Organisations must notify their supervisory authority – in the UK, the ICO (Information Commissioner’s Office) – of a data breach within 72 hours of becoming aware of it.
By ‘breach’, we aren’t simply referring to cyber attacks; it can be any incident that results in the accidental or unlawful destruction, loss, alteration, unauthored disclosure of, or access to, personal data.
As this definition suggests, data breaches are only sometimes the result of a criminal hacker breaking into your systems.
They are just as likely to occur when an employee accidentally sends personal information to the wrong person, loses a laptop containing personal data or fails to password-protect an online database.
All of these scenarios are subject to the GDPR’s data breach reporting requirements, and require you to notify the ICO.
GDPR compliance checklist
Has your organisation met all the requirements that we’ve listed here? If you haven’t, it’s not too late – although you need to act now to demonstrate to the ICO that you take compliance seriously.
To help you on your way, we’ve distilled everything you need to do into our GDPR compliance checklist.
It provides more detail on the requirements we’ve discussed in this blog, alongside further guidance for small businesses on how to comply with the GDPR.