Putting privacy into practice: are you ready for the new regs?
Updated: Feb 27, 2019
This week in Cranbrook, local business owners had the opportunity to come together to learn how the GDPR will impact small businesses from 25th May 2018, and how to put their data handling policies into practice.
Alex Lee of local law firm, Buss Murton, set the scene by explaining that in today’s data-driven world, the core objective of the EU regulation is to put the power back into the hands of the consumer. And with this in mind – despite the ICO (Information Commissioner’s Office) initially focussing on the compliancy of larger companies – we should all be starting to adopt ‘privacy by design’ approaches to data, regardless of the size of our businesses. Simply put, by law, business owners need to ensure that any new procedures in relation to collecting, actioning and storing our customer data focus on the customer’s privacy first and foremost.
So as local business owners, where do we start, and how do we put this into practice in line with the new GDPR framework?
Spring clean your data with an in-house audit
The first thing to do is to assign a member of the team as the ‘Data Controller’. For companies with over 250 employees, they will be required to appoint an official Data Protection Officer, but as this role carries with it a number of legal responsibilities, small businesses are safer avoiding the official title of DPO, and opting for something more generic, such as data controller or customer data manager.
This person should then begin an audit of your company’s data records, by listing all the types of personal data you hold, the format (Word, Excel, Data Management Platform), the device (mobile, laptop, cloud-based server), and the reasons why you are holding it. It’s important to keep a record of this information in case you ever need to demonstrate the actions you have taken to the ICO, and to perform a regular (e.g. annual) data review.
Data is deemed to be acceptable if it adheres to the following criteria:
· You have a ‘legitimate interest’ in the data
· You need the data in order to ‘enter into or perform a contract’ with a customer
· You have obtained ‘legal consent’ from the customer – see definition below
· The identity of the data controller is made known to the customer
· You ensure the data is as accurate now as when you first obtained it, and is maintained as such
Draft a new data policy
Once you have assessed your current data records and practices, you may need to make a few small changes to ensure you are collecting data lawfully. Communicate your policy to the wider team to ensure everyone is collecting and storing data correctly. Make sure you have a legitimate reason for holding any data and if you don’t, delete it – this is known as ‘data minimisation'. Also, be aware that under the new rules, you will need to delete customer data immediately upon the subject’s request.
Understand ‘explicit’ vs ‘implicit’ consent
First of all, make sure your customers are explicitly ‘opting in’ to allow access to their details (i.e. any personally identifiable information). Informing the customer that you are going to collect their data unless they opt out (i.e. implied consent) is no longer acceptable and could land you in trouble if you are unable to demonstrate you have obtained their permission. If you have obtained a customer’s details via a third party, for example by purchasing a marketing database from another company, you must also prove you have each customer’s permission for their details to be passed on in this way.
Allow customers to unsubscribe - easily!
Remember subscribing to sites such as Groupon all those years ago and being spammed forever after as you simply didn’t have the time to work out how to unsubscribe? Well in theory, those days are over, as under the GDPR, companies must make it as easy to unsubscribe as it is to opt in to a mailing list in the first place.
It’s important to bear in mind that while the ICO may initially be keeping their eye on larger companies, after two years, it is likely that even smaller companies will need to submit evidence of their data handling policies as part of their annual tax return – so it’s best to start implementing your GDPR-compliant procedures today to be on the safe side. To find out more about how the GDPR will affect your business, check out the ICO’s 12-step guide to the GDPR, and start preparing today!