“Can I have your email address?” I was asked this recently whilst buying a pair of socks. Yes, a pair of socks!
We live in a world now where we share our personal data constantly. The above example is one of the more extreme, but I, like so many of us, give out my email address almost daily. In most situations I can only assume what it is going to be used for and I rarely ask.
I don’t need a receipt for my socks, but I know this isn’t really the point. Most large organisations, like the store I was in, will have detailed data protection processes, policies, compliance officers and training for their staff. And we know from recent Information Commissioner’s Office (ICO) investigations and news stories that even these large companies cannot get data protection compliance right.
So, what about smaller businesses? How do those that don’t have the resources that the large organisations have ensure compliance with this complex area of regulation?
If you are a start-up or a small business you may think that data protection regulation doesn’t really apply to you. This is not an uncommon perception. People have heard of the Data Protection Act but do not really know what it is or how it applies to them. This isn’t really the fault of those who control the data as the information out there in relation to data protection regulation is outdated and confusing!
In fact, very few businesses fall outside the scope of the current data protection regime in the UK. The Data Protection Act 1998 (DPA) applies to all businesses which process personal data. This means that even if you don’t collect and process customer or client data, you are still likely to hold employee data and this means that you must consider your compliance with data protection legislation.
If you collect any information from which an individual can be identified, for example, on your website, through promotions or competitions, via online sales transactions, or about your employees this must be collected, processed and stored in accordance with the DPA.
And to add to the confusion, things are about to change! Given that we are still operating under legislation which came into force in the late ‘90s, I say about time too! In May 2018 the General Data Protection Regulations 2018 (GDPR) will come into force.
We have recently had confirmation that regardless of the Brexit process, we can still expect the GDPR to form part of UK legislation from next year. Whilst most of the principles from the DPA will remain, there are some key differences with several new concepts and approaches. The ICO has described it as a “game changer for everyone”.
Young and smaller businesses have a huge advantage here. Large businesses, which hold thousands of individuals’ personal data, have a huge task of updating their processes, policies and training as well as updating the consents that they hold, to ensure that they remain compliant, younger businesses can build their data protection policies and processes around the impending changes.
The downside for smaller businesses is that they often have less time and resource to invest in implementing such changes and with less to invest they are generally less well-prepared.
Many businesses will need to implement organisation-wide changes to ensure that personal data is processed in compliance with the GDPR's requirements. Such changes may include redesigning systems that process personal data, renegotiating contracts with third party data processors and restructuring cross-border data transfer arrangements.
Businesses will also need to assess the consents that they currently hold and the mechanisms through which consents are provided. Businesses that rely on consent as a legal basis for processing personal data, will need to carefully review their existing practices to ensure that any consent they obtain indicates an affirmative agreement from the data subject (for example, ticking a blank box). Implied consent (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR.
Changes to current practices will take time to implement, particularly for large businesses. The big advantage for smaller businesses is that they are nimble and flexible without the bureaucracy that undoubtedly attaches itself to a large business, which means that they can change their processes (or even put the correct processes in place from the start) with relative ease to ensure compliance.
With enforcement powers increasing under the GDPR, you don’t want to be on the receiving end of an ICO investigation. Equally, as a small business, the likelihood is that you will have an exit on the horizon. Data protection is a hot topic for buyers and they are always going to want to see evidence of compliance with the DPA and, in turn, the GDPR.
If the target company cannot demonstrate compliance the sellers will be expected to give an indemnity and remain on the hook for any liabilities which may arise as a result of non-compliance.
Indemnities in respect of data protection compliance are often far-reaching and uncapped as it is difficult for the parties to value the potential risk. Avoidance of them altogether, by being in a position to demonstrate compliance, is the best position to be in when you are negotiating with a potential buyer.
The GDPR will come into force on 25 May 2018. The Information Commissioner’s Office is already releasing lots of useful guidance and it is vital that businesses ensure that they know what the changes will be and how they can remain compliant.
The ICO is conscious that it needs to ensure that its guidance gets through to SMEs and that it is accessible and easy to understand. You may want to start with the ICO’s 12 step plan to help organisations prepare for the GDPR which are summarized below:
1. Awareness – Decision makers, stakeholders and key people in each organisation need to be aware of changes brought in under the GDPR and appreciate the impact this is likely to have.
2. Information you hold – Personal data held should be properly documented to record where it came from and where it is shared – an information audit may prove useful.
3. Individuals’ rights – All procedures should be checked to ensure they cover all the rights individuals have, including how personal data is deleted, shared and stored.
4. Communicating privacy information – Current privacy notices should be reviewed and amended where necessary in time for GDPR implementation.
5. Legal basis for processing personal data – All data processing should be reviewed to identify the legal basis for it being carried out and this should be documented.
6. Data breaches – Companies must ensure they have the right procedures in place to detect, report and investigate a personal data breach.
7. Data Protection by Design and Data Protection Impact Assessments – Companies must familiarise themselves now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them.
8. Consent – Businesses should assess how they are seeking, obtaining and recording consent and whether they need to make any changes.
9. Subject access requests – Subject access requests procedures should be updated and processes put in place which lay out how the business will handle requests within the new timescales and provide any additional information.
10. Children – Systems should be put in place to verify each individual’s age and to gather parental or guardian consent for the data processing activity.
11. Data Protection Officers – A Data Protection Officer should be appointed, if required, or someone should take responsibility for data protection compliance and assess where this role will sit within the business’ structure and governance arrangements.
12. International – Where an organisation operates internationally, it must determine which data protection supervisory authority it comes under.
Whilst these steps offer a useful start to businesses and start-ups preparing to tackle the new GDPR rules from next year, it is often sensible to also seek professional advice to ensure your business remains compliant at all times.
A more comprehensive list of the ICO’s guidance can be found here.
Image Credit: Wright Studio / Shutterstock