As I prepare to go on the radio tomorrow, to discuss GDPR with a panel of other ‘experts’, I have been considering my experience so far.
Views on it seem to vary widely from a complete ignorance about it to the attitude that it’s just another Y2K, to complete panic. Whilst no one really knows what’s going to happen when, on 25 May, the ICO starts to regulate and penalise companies who are in breach of the rules, it does seem dangerous to do nothing.
My previous blog covers the advantages to you, the individual, and this alone could mean the ICO will experience a number of whistleblowing situations from individuals who feel they’ve had their rights breached. Having recently recruited a further 200 people, the ICO will almost certainly be ready to investigate these situations.
On Monday I posted an article published by www.smallbusiness.co.uk (https://www.linkedin.com/company/simplyoperations/) suggesting that a high percentage of people are likely to exercise their right to be forgotten as they’re concerned about the safety of their personal data.
Another thing that struck me is how people seem to be stuck on getting ‘consent’ to hold data as if it’s the only ‘lawful’ reason for holding it. Of course, for most people that will be the best reason to hold it, and is certainly preferential if practical. But, it shouldn’t be forgotten that there are a total of six reasons for holding data so, before you get into a huge campaign to obtain consent, consider whether it is necessary.
For most companies, they already have measures in place to be compliant with the original Data Protection Act and their main aim will be to tighten the practices they already use. For others, it might take a bit more thought. Either way, getting someone, like me, to go through everything with you, will make everything clear, get it recorded in a policy and help you to be compliant before the May deadline.
As I’ve been networking over the past couple of weeks I’ve had numerous conversations with people asking me about GDPR. People have heard a number of rumours about it and over the next few blogs I intend to unpack some of the confusion.
So what is it?
GDPR stands for General Data Protection Regulation. A regulation is a number of specific requirements or enforcements, and, in this case, they are set out to protect an individuals data. Whilst is it an EU regulation, it is something that the UK will be adopting regardless of Brexit and so, for the purpose of this blog, any reference to EU citizens include the UK. The regulation comes in on 25 May 2018 by which point all companies need to be compliant.
Who does it affect?
The short answer is all companies, worldwide, that process personal data of any EU citizen.
This will harmonise data privacy laws across the EU and give an individual more control over what happens to their data.
What is the definition of ‘personal data’?
GDPR considers ‘personal data’ to be anything that can be used to identify an individual. This includes genetic, mental, cultural, economic and social information.
Surely this is just another way of presenting the Data Protection Act (DPA)?
There are key differences to GDPR, not addressed by the DPA, and a key one is to note that the DPA is a UK act only, whereas GDPR is an EU directive ensuring consistency across all EU countries.
Other differences are set out below:
Non-compliance of DPA can result in fines up to £500k, or 1% of annual turnover however with GDPR these fines could be up to €20m or 4% of annual global turnover
Companies of more than 250 employees will need to assign a Data Protection Officer to ensure compliance
Under DPA businesses are not obliged to report data breaches. With GDPR any data breach must be reported to the Supervisory Authority within 72 hrs of the incident
Under GDPR an individual will have the right to have their data permanently deleted from all databases, including web records etc, where there is no requirement under DPA
Where DPA didn’t necessarily require an opt-in for data collection, with GDPR this will be required, along with clear privacy notices that are transparent. Consent must be able to be withdrawn at any time
Interested in knowing more? Look out for my blog on Wednesday setting out what actions you need to take now.
Yes, you do! You need to be ready by 25 May 2018 as no business is exempt.
Some of the regulation is still being agreed, however here are the actions you can take now. Remember that the individuals’ rights under GDPR are:
Appoint a Data Protection Officer if you are a firm of 250 people or more.
Document what data you hold. Where did it come from? What is it used for? Where is it held? Note, if you use cloud-based systems, you need to identify where that cloud is held.
Review your privacy notices. Are there any changes you need to make? Note: this can no longer be embedded in your terms and conditions, but needs to be somewhere more visible.
Identify the legal basis you are holding the data. Is it necessary?
Did you ask the individual for permission to hold their personal data? Review your processes for obtaining data. Do you specify what you’d use their data for and ask them if you can use it for that purpose? Can you prove you have permission to hold their data and use it for those purposes specified? Is the data up to date and accurate? If you answered ‘no’ to any of these questions, you will need to run an exercise to obtain permission from your clients to hold their data. Consider how you will do this going forward
Update your procedures to ensure they cover all individuals rights, including how you would delete personal data or share it electronically. What is your procedure for handling requests for access to data?
Data breaches – you need to have a procedure to act on this as all data breaches need to be reported to the Supervisory Authority within 72 hrs.
Do you carry out Data Protection Impact Assessments? These will be a requirement under GDPR so, if you don’t already do so, you need to bring in a policy for doing so and start acting on it.
Children: if you hold data for children you need to identify what age you need parental consent up to.
Overwhelmed? Give me a call on 0845 869 0141 or use the ‘contact me’ form on this site. I can help!
For more reading:
Whilst my other posts have focussed on what you, as a business owner, need to do to be ready for GDPR, I thought it would be good to remind you of the benefits of GDPR, for you as an individual:
You will be able to request access to your data and companies will be obliged to provide it, providing the request isn’t deemed to be manifestly unfounded or excessive, primarily meaning repetitive! The company will need to specify why they refuse if they do so. Previously a £10 charge would have been made for any requests of this nature, however, this is no longer acceptable. You should expect to receive that data securely, however, where a large amount of data is requested, you should expect to specify your requirements.
To have inaccuracies corrected. Data should be reviewed by companies on a regular basis, and updated for any inaccuracies.
To have information erased. Just because you signed up for a newsletter once, doesn’t mean you have to continue to receive it. With GDPR you have the right to have your data removed from the distribution list, and deleted entirely from the companies’ systems.
To prevent direct marketing. We all hate it, right?!! With GDPR you can determine what marketing you’re happy to receive and what you don’t want any more.
To prevent automated decision-making and profiling. So what does this mean? The definition I found stated that it’s ‘an automated decision made following processing of personal data where no humans are involved in the decision-making processes and where the automated decision can have a significant impact on the individual (ie where the decision relates to job performance or creditworthiness etc)
Data portability, ie to have the right to your own data in order to use it for your own purposes across different services.
As I celebrate one year in business, I have been reflecting on the journey this last year has taken me on. It’s fair to say I’ve spent most of the year completely out of my comfort zone and it’s been a massive learning curve, however, I’ve had some great support and advice and somehow I’m still here!
I’ve met some interesting people, discovered a whole new world I never knew about before and learned a lot along the way. I’m sure I have much more still to learn but, as I reflect, I thought I’d set down some of the key lessons I’ve learned, in the hope that it might encourage others starting this journey:
The first thing I learned was about networking groups! There are loads of them. Just as you think you’ve exhausted all the possibilities, someone will mention another group, and you’re off again. They can be, pretty much, at any time of the day or evening and often the format will vary from formal meetings with speakers and an agenda etc to others where you are there to drink coffee (or wine, if you’re lucky) and mingle.
And you do need to network all you can in the early days. It’s the easiest way to market your business, and you get to meet more seasoned business owners many of whom are often more than happy to share their experiences and business knowledge with you. I’ve found overall that these groups tend to be very friendly and supportive and, over the months, have identified the ones that work best for me.
At networking groups, you may be asked to do an elevator pitch. This is usually for 30 to 60 seconds and is an opportunity for you to explain about your business. I wasn’t expecting that, and have to admit to being completely unprepared at my first networking meeting. I’m now much more prepared! As an aside, you don’t want the ‘elevator pitch’ to be too ‘salesy’ and it’s good if you can adapt it to be relevant to those at the meeting.
Then there’s other stuff to think about. When I first started out I couldn’t believe how many apps there were, designed to make your life easier as a business owner; apps for managing projects; financial management apps; HR apps; CRM systems (many of which do slightly different things) etc. As someone who enjoys dabbling with technology, I am in heaven!
You’ll end up working longer hours than you did in a paid job, but the flexibility it gives you is worth the times you have to work weekends or nights.
Use your social media….a lot! As someone who didn’t make many updates, this has been a hard one to get used to and I’m sure I could still do with doing more.
You’re never truly ‘off duty’ either. I discovered this when I was out with some friends recently, and someone at our table started asking about what I did. I found myself giving my elevator pitch and we exchanged business cards! Emails come in all the time and it’s always on your mind as to what more you can do to market your business or improve the suite of services you offer.
It’s worth doing your research to find out what potential clients think about your service offering and adjust accordingly.
On that note, throughout the year I’ve been asking different people for feedback on my business and one of the key things I learned was that my original business name, Virtual Office Services, wasn’t doing me any favours. It seems a number of people either assumed I managed a virtual office working space or that I offered telephone support.
Therefore, as it’s the new year, it seems a good time to rebrand under the new name ‘Simply Operations’.
Whilst I still offer admin assistance, I am also offering clients a ‘broad and high level’ review of all their back-office systems and processes, adding value by making them more efficient, and ensuring they are meeting their compliance requirements.
What this means is that I offer to assist clients to become GDPR compliant, advising on the best systems to manage their clients and staff personal data. I can review their Health & Safety processes and carry out desk assessments for staff if they need them.
With a background of working for professional practices, I can also recommend anti-money laundry processes as part of a review of their onboarding of clients.
And, with all of this, not only will I review and recommend changes, I will then implement them, leaving clients with new systems and processes that work, all set out in a user-friendly manual.
I’m sure next year, I’ll have a whole load of other lessons to add to this, but for now, to anyone reading this, Happy 2018 and good luck for the year ahead.