The volume and quality of personal data businesses can collect (and the ease with which it can be stored, accessed and used) has myriad benefits, but also carries risks, especially in today’s regulatory environment. A recent study has shown that 85% of SMEs understand GDPR, but more than half are still not meeting the legal requirements.
Elliot Fry, Managing Associate at law firm Cripps Pemberton Greenish gives SMEToday’s readers some pointers.
Leaving aside the reputational damage a breach can cause, it’s hard to miss the eye-watering fines imposed by the Information Commissioner’s Office (ICO) on companies who have failed to keep personal data secure or misused it. If you are subject to an ICO investigation, you need to be able to show you took the right steps towards compliance, and have the right documentation in place. Now more than ever it is crucial that companies of all sizes take time to get to know their obligations under data protection law.
The law
Following Brexit, the EU’s GDPR is no longer directly applicable to all UK businesses (although if you do business in the EU, it may still be). However, the UK (as part of Brexit) has implemented its own version of the GDPR, which essentially replicates the EU’s GDPR in UK law, so (unless and until the UK creates its own more bespoke law) the GDPR is here to stay.
This legislation applies to all businesses; even if you are a small or medium sized company.
Your people: Getting your employees up to speed with how they can keep personal data secure is the best way of avoiding data breaches or unintended misuses of personal data. The more they know about how important personal data is, and how to keep it secure, the easier protecting that data and using it in the right way will be.
Not everyone in your business needs to know the GDPR back-to-front, but you should make sure you have someone who broadly understands the requirements, and who takes ownership of data protection responsibilities in the organisation (even if you don’t need a formal “Data Protection Officer”). Other personnel may only need to know a few “golden rules” depending on their role.
Contracts: If you use a service provider that accesses, stores or uses personal data on your behalf, they may well be a “processor”. Where you appoint a processor, the GDPR requires you to have a written contract with that processor, which must include details of the processing and some specific obligations on that processor (in particular, the processor must only process personal data on your documented instructions). The GDPR requirements here are quite specific, so if you are using older contracts (pre-2018), it’s very unlikely that those agreements will be compliant.
Larger service providers should already have updated their agreements, but small service providers may not have dealt with this proactively. You should also look at any transfers of data outside of the European Economic Area (in particular to the USA), to confirm if these are compliant.
Notices: The GDPR requires a privacy notice to be supplied to anyone whose personal data you hold (subject to some exceptions).
It’s worth remembering that employees are data subjects too, and you will need a privacy notice to set out how you use their data. We consider businesses need a minimum of two privacy notices (an internal one for personnel, and an external one for everyone else). The GDPR also requires you to bring that notice to the attention of the relevant individuals.
Data Controller Register: The GDPR requires organisations to keep a record of their processing activities (and a general description of your security measures). While this obligation is reduced for organisations with fewer than 250 employees it’s likely that any size organisation will have to keep at least a partial record. Keeping a full record is a matter of best practice and assists your other compliance activities.
Special Category Data Appropriate Policy Document: The Data Protection Act 2018 requires that, if you process special category data (particularly sensitive types of data which includes health information) in certain circumstances (including for instance monitor sick leave or for other employment related reasons) you will need an appropriate policy document setting out how you comply with the GDPR’s principles and your retention and erasure policies regarding that data.
Data Breach Register: GDPR requires organisations to document any data breaches they suffer, the effects of that breach, and the remedial action they have taken.
How can I find out more?
If you would like to find out more, a good place to start is the Cripps Pemberton Greenish Data Protection Hub which sets out a lot of guidance on different areas of your business which may be affected. Cripps have also prepared a Data Protection Toolkit which contains questionnaires, customisable template documents and related guidance that can help you get up to speed with data protection law.
Alternatively, the ICO has prepared a ‘SME web hub’ where you can find advice on data protection implications concerning everything from installing CCTV cameras at your premises, to dealing with subject access requests.