GDPR – Are You Ready? Part 1 – General Provisions and Physical Data
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 leaving little time to prepare if you have not already done so. The penalties for non-compliance are crippling so you must ensure you are prepared.
A common response when many small business owners are asked about GDPR is ‘It doesn’t apply to me, at least I don’t think it does’. The probability is that it does apply to you, and even if the consents required can be implied, there are still steps you must take to be fully compliant.
The data referred to is any information that can personally identify an individual which is held in electronic or physical form. It does not just apply to records held in electronic systems. If you process any data about anyone in the EU (including the UK after Brexit) then you must be compliant, even if you operate your business outside the EU.
You need to prepare an inventory of the data you hold which is regularly updated. This should show the data you hold, your reason is for holding it, your lawful ground for holding it and how long you keep it amongst other considerations. Many of these are covered by law – employment records, accounts, company and taxation records but they still need to be identified and clearly stated.
Much is made of ‘lawful grounds’ for processing data, particularly where there is implied consent. These include:-
- Official authority / public interest
- Compliance with a legal requirement
- Necessary for the performance of a contract or service
- Protecting the interests of the individual
- Specific consent
- Legitimate interests except where they are overridden by the interests or fundamental rights and freedoms of the data subject especially the data subject is a child
Processing ‘Sensitive Data’ requires explicit consent, such as signing the form on which the data is collected. You also need a system in place which records these consents. Sensitive data includes anything relating to:-
- Religious or political beliefs
- Genetic, biometric or health data,
- Sexual orientation and behaviour
Privacy notices are something which have generally been associated with websites however you now need to consider whether you need a hard copy notice which should be available in your business premises. This should cover details of:-
- What data you collect
- Why you collect it
- What you do with it
- How long you keep it
- How you keep it secure
Data should not be retained for any longer than necessary and you must state clearly how long you retain data for. Some information is covered by legal requirements such a Payroll, Accounts and Company information. You should have a Data Retention Policy which states how long you keep the various items of you data you collect.
People are entitled to know what information you hold so you should have a system in place to answer requests. You may not charge for answering such requests unless they are frequent. You must respond to any requests within 30 days.
Data security is paramount, you must take adequate precautions to ensure that any information you hold is kept secure be it physical or electronic.
You must put in place a process for dealing with a data breach. If there is a loss, alteration, unauthorised disclosure of or access to personal data and there is a risk to the rights and freedoms of individuals you must notify the ICO within 72 hours of the breach.
Yu should also check that your insurance is adequate. It is advisable to contact your insurance broker to discuss any increased liability due to GDPR (eg increased fines or additional liability as a data processor) and ensure that your insurance coverage is sufficient.
We will cover the general provisions for employment data and electronically held data in further articles. The above is for general guidance only and you should refer to relevant information on the ICO website for definitive information
If you need any further guidance please feel free to contact us for more information.